Xiaomi Pro 13 Cross-Site Scripting Remote Code Execution Vulnerability
CVE-2024-4405

8.8HIGH

Key Information:

Vendor: Xiaomi
Status: Pro 13
Vendor: CVE Published:; 2 May 2024

Summary

The vulnerability identified in Xiaomi Pro 13 smartphones involves a Cross-Site Scripting (XSS) flaw within the manual-upgrade.html file. This security issue arises when the manualUpgradeInfo parameter is processed, failing to adequately sanitize inputs provided by users. As a result, remote attackers can exploit this vulnerability by persuading users to visit malicious web pages or open harmful files, leading to the execution of arbitrary code under the context of the user. The flaw emphasizes the need for stringent input validation to prevent unauthorized code execution and protect user data from potential threats.

Affected Version(s)

Pro 13 14.0.5.0

References

https://www.zerodayinitiative.com/advisories/ZDI-24-418/

x_research-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 2, 2024
Vulnerability Reserved
May 2, 2024