Vulnerabilities > Externally Controlled Reference to a Resource in Another Sphere

DATE CVE VULNERABILITY TITLE RISK
2019-11-14 CVE-2019-15419 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Asus X105D Firmware
The Asus ASUS_X015_1 Android device with a build fingerprint of asus/CN_X015/ASUS_X015_1:7.0/NRD90M/CN_X015-14.00.1709.35-20171215:user/release-keys contains a pre-installed app with a package name of com.lovelyfont.defcontainer app (versionCode=5, versionName=5.0.1) that allows unauthorized command execution via a confused deputy attack.
local
low complexity
asus CWE-610
7.8
2019-11-14 CVE-2019-15418 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Asus Pegasus 4 MAX Firmware and Pegasus 4A Firmware
The Asus ASUS_X00K_1 Android device with a build fingerprint of asus/CN_X00K/ASUS_X00K_1:7.0/NRD90M/CN_X00K-14.01.1711.27-20180420:user/release-keys contains a pre-installed app with a package name of com.lovelyfont.defcontainer app (versionCode=5, versionName=5.0.1) that allows unauthorized command execution via a confused deputy attack.
local
low complexity
asus CWE-610
7.8
2019-11-14 CVE-2019-15415 Externally Controlled Reference to a Resource in Another Sphere vulnerability in MI Redmi 5 Firmware
The Xiaomi Redmi 5 Android device with a build fingerprint of xiaomi/vince/vince:7.1.2/N2G47H/V9.5.4.0.NEGMIFA:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1711_201803291645) that allows unauthorized wireless settings modification via a confused deputy attack.
local
low complexity
mi CWE-610
3.3
2019-11-14 CVE-2019-15405 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Asus Pegasus 4 MAX Firmware and Pegasus 4A Firmware
The Asus ASUS_X00K_1 Android device with a build fingerprint of asus/CN_X00K/ASUS_X00K_1:7.0/NRD90M/CN_X00K-14.01.1711.27-20180420:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000015, versionName=7.0.0.3_161222) that allows other pre-installed apps to perform command execution via an accessible app component.
local
low complexity
asus CWE-610
7.8
2019-11-14 CVE-2019-15394 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Asus Zenfone 5 Selfie Firmware
The Asus ZenFone 5 Selfie Android device with a build fingerprint of asus/WW_Phone/ASUS_X017D_1:7.1.1/NMF26F/14.0400.1810.061-20181107:user/release-keys contains a pre-installed app with a package name of com.asus.atd.smmitest app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack.
local
low complexity
asus CWE-610
7.8
2019-11-14 CVE-2019-15393 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Asus Zenfone Live (L1) Firmware
The Asus ZenFone Live Android device with a build fingerprint of asus/WW_Phone/ASUS_X00LD_3:7.1.1/NMF26F/14.0400.1806.203-20180720:user/release-keys contains a pre-installed app with a package name of com.asus.atd.smmitest app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack.
local
low complexity
asus CWE-610
3.3
2019-05-22 CVE-2018-7824 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Schneider-Electric Driver Suite and Modbus Serial Driver
An Externally Controlled Reference to a Resource (CWE-610) vulnerability exists in Schneider Electric Modbus Serial Driver (For 64-bit Windows OS:V3.17 IE 37 and prior , For 32-bit Windows OS:V2.17 IE 27 and prior, and as part of the Driver Suite version:V14.12 and prior) which could allow write access to system files available only to users with SYSTEM privilege or other important user files.
network
low complexity
schneider-electric CWE-610
4.9
2019-02-11 CVE-2018-9582 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android 8.0/8.1/9.0
In package installer in Android-8.0, Android-8.1 and Android-9, there is a possible bypass of the unknown source warning due to a confused deputy scenario.
local
low complexity
google CWE-610
7.8
2019-01-15 CVE-2017-18357 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Shopware
Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.
network
low complexity
shopware CWE-610
6.5
2018-10-18 CVE-2018-12381 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Mozilla Firefox
Manually dragging and dropping an Outlook email message into the browser will trigger a page navigation when the message's mail columns are incorrectly interpreted as a URL.
network
low complexity
mozilla CWE-610
5.3