cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2018-14980,https://securityvulnerability.io/vulnerability/CVE-2018-14980,Screenshot Vulnerability in ASUS ZenFone 3 Max Android Device by ASUS,"The ASUS ZenFone 3 Max Android device features an improper access control vulnerability in the system_server process, allowing malicious applications to capture screenshots without user consent. This exploit can be triggered by any co-located app, enabling it to initiate a screenshot operation and save the image to external storage. Additionally, if the attacking app obtains EXPAND_STATUS_BAR permission, it can manipulate the device to wake it up, revealing sensitive notifications, including two-factor authentication messages, even if the device is locked. The core android framework's inability to disable this process highlights a significant security concern, as it exposes users to potential information leakage and misuse of their private data.",Asus,Zenfone 3 Max Firmware,7.1,HIGH,0.0004199999966658652,false,,false,false,false,,,false,false,,2019-04-25T19:27:26.000Z,0
CVE-2018-14979,https://securityvulnerability.io/vulnerability/CVE-2018-14979,,"The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed app with a package name of com.asus.loguploader (versionCode=1570000275, versionName=7.0.0.55_170515). This app contains an exported service app component named com.asus.loguploader.LogUploaderService that, when accessed with a particular action string, will write a bugreport (kernel log, logcat log, and the state of system services including the text of active notifications), Wi-Fi Passwords, and other system data to external storage (sdcard). Any app with the READ_EXTERNAL_STORAGE permission on this device can read this data from the sdcard after it has been dumped there by the com.asus.loguploader. Third-party apps are not allowed to directly create a bugreport or access the user's stored wireless network credentials.",Asus,Zenfone 3 Max Firmware,4.7,MEDIUM,0.0006600000197067857,false,,false,false,false,,,false,false,,2018-12-28T21:00:00.000Z,0
CVE-2018-14992,https://securityvulnerability.io/vulnerability/CVE-2018-14992,,"The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed platform app with a package name of com.asus.dm (versionCode=1510500200, versionName=1.5.0.40_171122) has an exposed interface in an exported service named com.asus.dm.installer.DMInstallerService that allows any app co-located on the device to use its capabilities to download an arbitrary app over the internet and install it. Any app on the device can send an intent with specific embedded data that will cause the com.asus.dm app to programmatically download and install the app. For the app to be downloaded and installed, certain data needs to be provided: download URL, package name, version name from the app's AndroidManifest.xml file, and the MD5 hash of the app. Moreover, any app that is installed using this method can also be programmatically uninstalled using the same unprotected component named com.asus.dm.installer.DMInstallerService.",Asus,Zenfone 3 Max Firmware,5.5,MEDIUM,0.0004400000034365803,false,,false,false,false,,,false,false,,2018-12-28T21:00:00.000Z,0