Arbitrary Code Execution Vulnerability in Xiaomi Browser - Xiaomi
CVE-2019-13322

7.5HIGH

Key Information:

Vendor
Xiaomi
Status
Browser
Vendor
CVE Published:
10 February 2020

Summary

This vulnerability in Xiaomi Browser prior to version 10.4.0 enables remote attackers to execute arbitrary code through an exploited flaw within the miui.share application. Successful exploitation requires user interaction, where the user must visit a malicious webpage or open a malicious file. The root cause of this security issue lies in the inadequate validation of user-supplied data, which can facilitate unauthorized application downloads, allowing the attacker to execute code within the user’s context.

Affected Version(s)

Browser Prior to 10.4.0

References

https://www.zerodayinitiative.com/advisories/ZDI-19-660/
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

MWR Labs - Georgi Geshev and Robert Miller
.
CVE-2019-13322 : Arbitrary Code Execution Vulnerability in Xiaomi Browser - Xiaomi | SecurityVulnerability.io