The Amazon Lab126 com.lab126.system sendEvent implementation on the Kindle Touch before 5.1.2 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a string, as demonstrated by using lipc-set-prop to set an LIPC property, a different vulnerability than CVE-2012-4248.
Max CVSS
10.0
EPSS Score
0.25%
Published
2012-08-12
Updated
2012-08-13
Stack-based buffer overflow in the havok_write function in drivers/staging/havok/havok.c in Amazon Fire OS before 2016-01-15 allows attackers to cause a denial of service (panic) or possibly have unspecified other impact via a long string to /dev/hv.
Max CVSS
10.0
EPSS Score
0.22%
Published
2017-04-10
Updated
2017-04-15
Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when the device retrieves updates scripts from the internet.
Max CVSS
10.0
EPSS Score
1.15%
Published
2019-12-31
Updated
2020-08-24
Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when retrieving internal network configuration data.
Max CVSS
9.8
EPSS Score
1.15%
Published
2019-12-11
Updated
2019-12-13
In aws-lambda versions prior to version 1.0.5, the "config.FunctioName" is used to construct the argument used within the "exec" function without any sanitization. It is possible for a user to inject arbitrary commands to the "zipCmd" used within "config.FunctionName".
Max CVSS
9.8
EPSS Score
0.22%
Published
2020-01-08
Updated
2021-05-10
Firecracker vsock implementation buffer overflow in versions 0.18.0 and 0.19.0. This can result in potentially exploitable crashes.
Max CVSS
9.8
EPSS Score
0.82%
Published
2019-12-11
Updated
2022-09-13
This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.
Max CVSS
9.8
EPSS Score
1.39%
Published
2021-01-19
Updated
2021-01-28
Amazon AWS CloudFront TLSv1.2_2019 allows TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, which some entities consider to be weak ciphers.
Max CVSS
9.8
EPSS Score
0.22%
Published
2021-08-12
Updated
2021-08-23
The kernel in Amazon Web Services FreeRTOS before 10.4.3 has an integer overflow in queue.c for queue creation.
Max CVSS
9.8
EPSS Score
0.22%
Published
2021-04-22
Updated
2021-06-02
The kernel in Amazon Web Services FreeRTOS before 10.4.3 has an integer overflow in stream_buffer.c for a stream buffer.
Max CVSS
9.8
EPSS Score
0.22%
Published
2021-04-22
Updated
2021-06-02
The kernel in Amazon Web Services FreeRTOS before 10.4.3 has insufficient bounds checking during management of heap memory.
Max CVSS
9.8
EPSS Score
0.22%
Published
2021-05-03
Updated
2021-05-12
The CLI 1.0.0 for Amazon AWS OpenSearch has weak permissions for the configuration file.
Max CVSS
9.8
EPSS Score
0.19%
Published
2021-12-12
Updated
2021-12-15
A vulnerability was found in AWS SDK 2.59.0. It has been rated as critical. This issue affects the function XpathUtils of the file aws-android-sdk-core/src/main/java/com/amazonaws/util/XpathUtils.java of the component XML Parser. The manipulation leads to server-side request forgery. Upgrading to version 2.59.1 is able to address this issue. The name of the patch is c3e6d69422e1f0c80fe53f2d757b8df97619af2b. It is recommended to upgrade the affected component. The identifier VDB-216737 was assigned to this vulnerability.
Max CVSS
9.8
EPSS Score
0.15%
Published
2022-12-27
Updated
2024-03-21
Improper Neutralization of audio output from 3rd and 4th Generation Amazon Echo Dot devices allows arbitrary voice command execution on these devices via a malicious skill (in the case of remote attackers) or by pairing a malicious Bluetooth device (in the case of physically proximate attackers), aka an "Alexa versus Alexa (AvA)" attack.
Max CVSS
9.8
EPSS Score
0.35%
Published
2022-02-24
Updated
2022-03-09
The Amazon Kindle Touch before 5.1.2 does not properly restrict access to the libkindleplugin.so NPAPI plugin interface, which might allow remote attackers to have an unspecified impact via vectors involving the (1) dev.log, (2) lipc.set, (3) lipc.get, or (4) todo.scheduleItems method, a different vulnerability than CVE-2012-4249.
Max CVSS
9.3
EPSS Score
0.36%
Published
2012-08-12
Updated
2012-08-13
ActiveSetupN.exe in Amazon Audible for Windows before November 2017 allows attackers to execute arbitrary DLL code if ActiveSetupN.exe is launched from a directory where an attacker has already created a Trojan horse dwmapi.dll file.
Max CVSS
9.3
EPSS Score
0.12%
Published
2017-12-06
Updated
2017-12-20
Amazon Kindle e-reader prior to and including version 5.13.4 contains an Integer Overflow that leads to a Heap-Based Buffer Overflow in function CJBig2Image::expand() and results in a memory corruption that leads to code execution when parsing a crafted PDF book.
Max CVSS
9.3
EPSS Score
0.17%
Published
2021-09-01
Updated
2021-09-10
Amazon Kindle e-reader prior to and including version 5.13.4 improperly manages privileges, allowing the framework user to elevate privileges to root.
Max CVSS
9.3
EPSS Score
0.08%
Published
2021-09-01
Updated
2021-09-10
In the Amazon AWS WorkSpaces client 3.0.10 through 3.1.8 on Windows, argument injection in the workspaces:// URI handler can lead to remote code execution because of the Chromium Embedded Framework (CEF) --gpu-launcher argument. This is fixed in 3.1.9.
Max CVSS
9.3
EPSS Score
0.42%
Published
2021-09-22
Updated
2021-09-30
Amazon Ring Doorbell before 3.4.7 mishandles encryption, which allows attackers to obtain audio and video data, or insert spoofed video that does not correspond to the actual person at the door.
Max CVSS
9.1
EPSS Score
0.10%
Published
2019-03-01
Updated
2021-07-21
Amazon AWS SDK <=2.8.5 for Android uses Android SharedPreferences to store plain text AWS STS Temporary Credentials retrieved by AWS Cognito Identity Service. An attacker can use these credentials to create authenticated and/or authorized requests. Note that the attacker must have "root" privilege access to the Android filesystem in order to exploit this vulnerability (i.e. the device has been compromised, such as disabling or bypassing Android's fundamental security mechanisms).
Max CVSS
9.0
EPSS Score
0.90%
Published
2019-04-04
Updated
2021-05-10
"Sandbox Accounts for Events" provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI. Authenticated users could potentially claim and access empty AWS accounts by sending request payloads to the account API containing non-existent event ids and self-defined budget & duration. This issue only affects cleaned AWS accounts, it is not possible to access AWS accounts in use or existing data/infrastructure. This issue has been patched in version 1.1.0.
Max CVSS
9.0
EPSS Score
0.05%
Published
2023-12-22
Updated
2024-01-08
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Amazon Music Player 6.1.5.1213. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI handlers. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5521.
Max CVSS
8.8
EPSS Score
2.59%
Published
2018-03-02
Updated
2019-10-09
Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the ssid parameter.
Max CVSS
8.8
EPSS Score
0.22%
Published
2019-12-11
Updated
2019-12-13
Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the encryption parameter.
Max CVSS
8.8
EPSS Score
0.22%
Published
2019-12-11
Updated
2019-12-13
126 vulnerabilities found
1 2 3 4 5 6
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!