Unsecured Content Provider in Infinix Mobile Devices
CVE-2024-12993

4.8MEDIUM

Key Information:

Vendor: Infinix Mobile
Status: Com.rlk.weathers
Vendor: CVE Published:; 30 December 2024

Summary

Infinix mobile devices are impacted by a serious security issue involving the pre-installed 'com.rlk.weathers' application. This application features an unsecured content provider that can be accessed by attackers. With this vulnerability, an attacker is capable of communicating with the content provider, which may allow them to reveal sensitive information, such as the user's location. Despite multiple attempts to reach out to Infinix for clarification or a patch, no response has been received, raising concerns that this flaw could affect all models in the Infinix mobile device line.

Affected Version(s)

com.rlk.weathers Android 7.0.0.037

References

https://cert.pl/en/posts/2024/12/CVE-2024-12993/

third-party-advisory

https://cert.pl/posts/2024/12/CVE-2024-12993/

third-party-advisory

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Dec 30, 2024
Vulnerability Reserved
Dec 27, 2024

Credit

Szymon Chadam