First published: Sun Jul 15 2018(Updated: )
The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phones, allows SQL injection. One consequence is that an application without the READ_SMS permission can read SMS messages. This affects Infinix X571 phones, as well as various Lenovo phones (such as the A7020) that have since been fixed by Lenovo.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Google Android | =7.0 | |
Infinix Mobile devices | ||
Google Android | =6.0 | |
Lenovo Lenovo A7020 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-14066 is a vulnerability in the content://wappush content provider in com.android.provider.telephony, which allows SQL injection.
The severity of CVE-2018-14066 is critical with a CVSS score of 9.8.
Google Android 7.0 and 6.0 are affected by CVE-2018-14066.
CVE-2018-14066 allows an application without the READ_SMS permission to read SMS messages on Infinix X571 phones.
More information about CVE-2018-14066 can be found at the following link: [https://hacked0x90.wordpress.com/2018/07/12/lenovo-infinix-sql-injection-to-mobile-sms-leakage/](https://hacked0x90.wordpress.com/2018/07/12/lenovo-infinix-sql-injection-to-mobile-sms-leakage/)