CVE-2021-41849

Published: Mar 11, 2022Modified: Nov 21, 2024

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

An issue was discovered in Luna Simo PPR1.180610.011/202001031830. It sends the following Personally Identifiable Information (PII) in plaintext using HTTP to servers located in China: user's list of installed apps and device International Mobile Equipment Identity (IMEI). This PII is transmitted to log.skyroam.com.cn using HTTP, independent of whether the user uses the Simo software.

Affected (5)

Products: Bluproducts: G90 Firmware, G9 Firmware · Wikomobile: Tommy 3 Firmware, Tommy 3 Plus Firmware · Luna: Simo Firmware

2 products

2 products

Tommy 3 Firmware

Tommy 3 Plus Firmware

1 product

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Bluproducts G90 Firmware	All versions

Running on/with	Platform Versions
Bluproducts G90	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Bluproducts G9 Firmware	All versions

Running on/with	Platform Versions
Bluproducts G9	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Wikomobile Tommy 3 Firmware	All versions

Running on/with	Platform Versions
Wikomobile Tommy 3	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Wikomobile Tommy 3 Plus Firmware	All versions

Running on/with	Platform Versions
Wikomobile Tommy 3 Plus	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Luna Simo Firmware	All versions

Running on/with	Platform Versions
Luna Simo	All versions

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References (8)

https://athack.com/session-details/401

Source: cve@mitre.org

Third Party Advisory

https://simowireless.com/

Source: cve@mitre.org

Vendor Advisory

https://www.kryptowire.com/android-firmware-2022/

Source: cve@mitre.org

Broken Link

https://www.kryptowire.com/blog/vsim-vulnerability-within-simo-android-phones-exposed/

Source: cve@mitre.org

ExploitThird Party Advisory

https://athack.com/session-details/401

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://simowireless.com/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.kryptowire.com/android-firmware-2022/

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://www.kryptowire.com/blog/vsim-vulnerability-within-simo-android-phones-exposed/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.