Cyber Resilience

CVE-2019-20470

High

Published: 01 February 2021

Published
01 February 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0121 79.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-20470 is a high-severity Initialization of a Resource with an Insecure Default (CWE-1188) vulnerability in Tk-Star Q90 Junior Gps Horloge Firmware. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 20.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. It performs actions based on certain SMS commands. This can be used to set up a voice communication channel from the watch to any telephone number, initiated by…

more

sending a specific SMS and using the default password, e.g., pw,<password>,call,<mobile_number> triggers an outbound call from the watch. The password is sometimes available because of CVE-2019-20471.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tk-star
q90 junior gps horloge firmware
3.1042.9.8656

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-284 CWE-1188

Defines roles, responsibilities, and access rules for configuration management activities, making improper access to configuration resources harder to exploit.

addresses: CWE-284 CWE-1188

Baseline includes documented access control settings that are reviewed and maintained, reducing the ability to exploit improper access control.

addresses: CWE-284 CWE-1188

Restricting available functions and services reduces the attack surface and enforces proper access control boundaries.

addresses: CWE-284 CWE-1188

Tailoring selects and adjusts the precise set of access-control baselines and compensating controls required for the system, directly reducing improper access control exposure.

addresses: CWE-284 CWE-1188

Central management enforces consistent access-control policies across systems, reducing the likelihood of missing or inconsistent enforcement.

addresses: CWE-284 CWE-1188

Scans identify improper access control implementations and missing protections on system resources.

addresses: CWE-284 CWE-1188

Explicit training on access control mechanisms and their operation makes improper access control harder to introduce via misconfiguration.

addresses: CWE-284 CWE-1188

Guidance on effective use of access control mechanisms and known configuration vulnerabilities makes improper access control harder to exploit.

References