Authentication flaw

On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, PIN authentication can be bypassed by creating a special file within the /data/local/tmp/ directory. The System application that implements the lock screen checks for the existence of a specific file and disables PIN authentication if it exists. Thi...

Code injection

On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, there is an undocumented web API that allows unprivileged JavaScript, including JavaScript running within the KaiOS browser, to view and edit the device's firmware over-the-air update settings. This web API is normally used by the system application...

Command injection

On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, there is an engineering application named omamock that is vulnerable to OS command injection. An attacker with physical access to the device can abuse this vulnerability to execute arbitrary OS commands as the root user via the application's UI...

CVE-2019-16241

CVE-2019-16241 affects TCL Alcatel Cingular Flip 2 B9HUAH1: PIN authentication can be bypassed by placing a specially crafted file in /data/local/tmp/. The System lock-screen app checks for this file’s existence and disables PIN if found, typically via ADB over USB. This is the explicit, device-s...

CVE-2019-16243

CVE-2019-16243 affects TCL Alcatel Cingular Flip 2 B9HUAH1. An undocumented web API accessible from unprivileged JavaScript (including KaiOS browser) lets an attacker view and edit the device’s firmware OTA update settings; this API is normally used by OmaService.js by the system app. The root ca...

CVE-2019-16242

CVE-2019-16242 affects the OC engineering app omamock on TCL Alcatel Cingular Flip 2 B9HUAH1. The vulnerability is OS command injection arising from inadequate input handling when constructing OS commands, enabling an attacker with physical access to execute arbitrary commands as root via the app...