← back
CVE-2014-8507

CVE-2014-8507

EPSS 1.6%
Multiple SQL injection vulnerabilities in the queryLastApp method in packages/WAPPushManager/src/com/android/smspush/WapPushManager.java in the WAPPushManager module in Android before 5.0.0 allow remote attackers to execute arbitrary SQL commands, and consequently launch an activity or service, via the (1) wapAppId or (2) contentType field of a PDU for a malformed WAPPush message, aka Bug 17969135.
Affected products
n/a · n/a
public PoCs found2
cve_referencepacketstormsecurity.com/files/129283/Android-WAPPushManager-SQL-Injection.htmlunverifiedexploitdbwww.exploit-db.com/exploits/35382unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/129283/Android-WAPPushManager-SQL-Injection.htmlhttps://android.googlesource.com/platform/frameworks/base/+/48ed835468c6235905459e6ef7df032baf3e4df6http://seclists.org/fulldisclosure/2014/Nov/86http://www.securityfocus.com/bid/71310http://xteam.baidu.com/?p=167