CWE
89
Advisory Published
Updated

CVE-2018-14066: SQL Injection

First published: Sun Jul 15 2018(Updated: )

The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phones, allows SQL injection. One consequence is that an application without the READ_SMS permission can read SMS messages. This affects Infinix X571 phones, as well as various Lenovo phones (such as the A7020) that have since been fixed by Lenovo.

Credit: cve@mitre.org

Affected SoftwareAffected VersionHow to fix
Google Android=7.0
Infinix Mobile devices
Google Android=6.0
Lenovo Lenovo A7020

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2018-14066?

    CVE-2018-14066 is a vulnerability in the content://wappush content provider in com.android.provider.telephony, which allows SQL injection.

  • What is the severity of CVE-2018-14066?

    The severity of CVE-2018-14066 is critical with a CVSS score of 9.8.

  • Which software versions are affected by CVE-2018-14066?

    Google Android 7.0 and 6.0 are affected by CVE-2018-14066.

  • How does CVE-2018-14066 impact Infinix X571 phones?

    CVE-2018-14066 allows an application without the READ_SMS permission to read SMS messages on Infinix X571 phones.

  • Where can I find more information about CVE-2018-14066?

    More information about CVE-2018-14066 can be found at the following link: [https://hacked0x90.wordpress.com/2018/07/12/lenovo-infinix-sql-injection-to-mobile-sms-leakage/](https://hacked0x90.wordpress.com/2018/07/12/lenovo-infinix-sql-injection-to-mobile-sms-leakage/)

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203