Arbitrary Code Execution Vulnerability in Xiaomi Browser
CVE-2019-13321

5.5MEDIUM

Key Information:

Vendor: Xiaomi
Status: Browser
Vendor: CVE Published:; 10 February 2020

Summary

The vulnerability present in Xiaomi Browser prior to version 10.4.0 allows network adjacent attackers to execute arbitrary code through malicious HTTP responses to the Captive Portal. Exploitation requires user interaction, specifically, the target must connect to a malicious access point. A specially crafted HTML response can trigger the Captive Portal to open a browser to a predetermined location without user interaction. This flaw poses significant risks as it can be exploited alongside other vulnerabilities to execute code within the context of the currently running process.

Affected Version(s)

Browser Prior to 10.4.0

References

https://www.zerodayinitiative.com/advisories/ZDI-19-659/

x_refsource_MISC

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 10, 2020
Vulnerability Reserved
Jul 5, 2019

Credit

Anonymous