Tencent: Security Vulnerabilities
A vulnerability in the lua parser of TscanCode tsclua v2.15.01 allows attackers to cause a Denial of Service (DoS) via a crafted lua script.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-08-03
In the WeChat application 8.0.10 for Android and iOS, a mini program can obtain sensitive information from a user's address book via wx.searchContacts.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-07-26
The QQ application 8.7.1 for Android and iOS does not enforce the permission requirements (e.g., android.permission.ACCESS_FINE_LOCATION) for determining the device's physical location. An attacker can use qq.createMapContext to create a MapContext object, use MapContext.moveToLocation to move the center of the map to the device's location, and use MapContext.getCenterLocation to get the latitude and longitude of the current map center.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-07-26
TencentOS-tiny version 3.1.0 is vulnerable to integer wrap-around in function 'tos_mmheap_alloc incorrect calculation of effective memory allocation size. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.
CVSS Score
7.3
EPSS Score
0.011
Published
2022-05-03
Tencent GameLoop before 4.1.21.90 downloaded updates over an insecure HTTP connection. A malicious attacker in an MITM position could spoof the contents of an XML document describing an update package, replacing a download URL with one pointing to an arbitrary Windows executable. Because the only integrity check would be a comparison of the downloaded file's MD5 checksum to the one contained within the XML document, the downloaded executable would then be executed on the victim's machine.
CVSS Score
8.1
EPSS Score
0.008
Published
2021-06-06
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Tencent WeChat 2.9.5 desktop version. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM decoder. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-11907.
CVSS Score
6.5
EPSS Score
0.006
Published
2021-04-14
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent WeChat 7.0.18. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM Decoder. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-11580.
CVSS Score
8.8
EPSS Score
0.012
Published
2021-02-10
Shenzhen Tencent TIM Windows client 3.0.0.21315 has a DLL hijacking vulnerability, which can be exploited by attackers to execute malicious code.
CVSS Score
7.8
EPSS Score
0.001
Published
2020-09-03
The Shenzhen Tencent app 5.8.2.5300 for PC platforms (from Tencent App Center) has a DLL hijacking vulnerability. Attackers can use this vulnerability to execute malicious code.
CVSS Score
7.8
EPSS Score
0.001
Published
2020-09-03
QQBrowser before 10.5.3870.400 installs a Windows service TsService.exe. This file is writable by anyone belonging to the NT AUTHORITY\Authenticated Users group, which includes all local and remote users. This can be abused by local attackers to escalate privileges to NT AUTHORITY\SYSTEM by writing a malicious executable to the location of TsService.
CVSS Score
7.8
EPSS Score
0.096
Published
2020-04-09