Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
oneplus vulnerabilities and exploits
(subscribe to this query)
891
VMScore
CVE-2017-11105
The OnePlus 2 Primary Bootloader (PBL) does not validate the SBL1 partition before executing it, although it contains a certificate. This allows attackers with write access to that partition to disable signature validation.
Oneplus Primary Bootloader -
891
VMScore
CVE-2017-5626
OxygenOS before version 4.0.2, on OnePlus 3 and 3T, has two hidden fastboot oem commands (4F500301 and 4F500302) that allow the malicious user to lock/unlock the bootloader, disregarding the 'OEM Unlocking' checkbox, without user confirmation and without a factory reset...
Oneplus Oxygenos
891
VMScore
CVE-2017-5624
An issue exists in OxygenOS prior to 4.0.3 for OnePlus 3 and 3T. The attacker can persistently make the (locked) bootloader start the platform with dm-verity disabled, by issuing the 'fastboot oem disable_dm_verity' command. Having dm-verity disabled, the kernel will no...
Oneplus Oxygenos
828
VMScore
CVE-2017-5554
An issue exists in ABOOT in OnePlus 3 and 3T OxygenOS prior to 4.0.2. The attacker can reboot the device into the fastboot mode, which could be done without any authentication. A physical attacker can press the "Volume Up" button during device boot, where an attacker wi...
Oneplus Oxygenos
641
VMScore
CVE-2017-5623
An issue exists in OxygenOS prior to 4.1.0 on OnePlus 3 and 3T devices. The attacker can change the bootmode of the device by issuing the 'fastboot oem boot_mode {rf/wlan/ftm/normal} command' in contradiction to the threat model of Android where the bootloader MUST NOT ...
Oneplus Oxygenos
446
VMScore
CVE-2016-10370
An issue exists on OnePlus devices such as the 3T. The OnePlus OTA Updater pushes the signed-OTA image over HTTP without TLS. While it does not allow for installation of arbitrary OTAs (due to the digital signature), it unnecessarily increases the attack surface, and allows for r...
Oneplus Oxygenos
410
VMScore
CVE-2017-5947
An issue exists in OnePlus One, X, 2, 3, 3T, and 5 devices with OxygenOS 5.0 and previous versions. The attacker can reboot the device into the Qualcomm Emergency Download (EDL) mode through ADB or by using Volume-Up when connected to USB, which in turn could allow for downgradin...
Oneplus Oxygenos
2 Github repositories
384
VMScore
CVE-2017-8851
An issue exists on OnePlus One and X devices. Due to a lenient updater-script on the OnePlus One and X OTA images, the fact that both products use the same OTA verification keys, and the fact that both products share the same 'ro.build.product' system property, attacker...
Oneplus Oxygenos
384
VMScore
CVE-2017-5948
An issue exists on OnePlus One, X, 2, 3, and 3T devices. OxygenOS and HydrogenOS are vulnerable to downgrade attacks. This is due to a lenient 'updater-script' in OTAs that does not check that the current version is lower than or equal to the given image's. Downgra...
Oneplus Oxygenos
384
VMScore
CVE-2017-8850
An issue exists on OnePlus One, X, 2, 3, and 3T devices. Due to a lenient updater-script in the OnePlus OTA images, and the fact that both ROMs use the same OTA verification keys, attackers can install HydrogenOS over OxygenOS and vice versa, even on locked bootloaders, which all...
Oneplus Oxygenos
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-17519
open redirect
CVE-2024-21683
cache poisoning
CVE-2021-47524
CVE-2021-47521
CVE-2024-5229
CVE-2021-47560
local
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
NEXT »