Arbitrary Code Execution Vulnerability in Xiaomi Browser - Xiaomi
CVE-2019-13322

7.5HIGH

Key Information:

Vendor: Xiaomi
Status: Browser
Vendor: CVE Published:; 10 February 2020

What is CVE-2019-13322?

This vulnerability in Xiaomi Browser prior to version 10.4.0 enables remote attackers to execute arbitrary code through an exploited flaw within the miui.share application. Successful exploitation requires user interaction, where the user must visit a malicious webpage or open a malicious file. The root cause of this security issue lies in the inadequate validation of user-supplied data, which can facilitate unauthorized application downloads, allowing the attacker to execute code within the user’s context.

Affected Version(s)

Browser Prior to 10.4.0

References

https://www.zerodayinitiative.com/advisories/ZDI-19-660/

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 10, 2020
Vulnerability Reserved
Jul 5, 2019

Credit

MWR Labs - Georgi Geshev and Robert Miller