5.3

CVE-2018-20523

Exploit
Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones allows content provider injection. In other words, a third-party application can read the user's cleartext browser history via an app.provider.query content://com.android.browser.searchhistory/searchhistory request.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MiStock Browser Version10.2.4g
MiRedmi 7 Firmware Version-
   MiRedmi 7 Version-
MiRedmi Note 7 Firmware Version-
   MiRedmi Note 7 Version-
MiRedmi Note 6 Pro Firmware Version-
   MiRedmi Note 6 Pro Version-
MiRedmi 6 Firmware Version-
   MiRedmi 6 Version-
MiRedmi 6a Firmware Version-
   MiRedmi 6a Version-
MiRedmi S2 Firmware Version-
   MiRedmi S2 Version-
MiRedmi Note 5 Pro Firmware Version-
   MiRedmi Note 5 Pro Version-
MiRedmi K20 Pro Firmware Version-
   MiRedmi K20 Pro Version-
MiRedmi K20 Firmware Version-
   MiRedmi K20 Version-
MiRedmi 7a Firmware Version-
   MiRedmi 7a Version-
MiRedmi Go Firmware Version-
   MiRedmi Go Version-
MiRedmi Note 5 Firmware Version-
   MiRedmi Note 5 Version-
MiRedmi Y3 Firmware Version-
   MiRedmi Y3 Version-
MiRedmi Note 7s Firmware Version-
   MiRedmi Note 7s Version-
MiRedmi S2 Firmware Version-
   MiRedmi S2 Version-
MiRedmi 4a Firmware Version-
   MiRedmi 4a Version-
MiRedmi Note 4 Firmware Version-
   MiRedmi Note 4 Version-
MiRedmi 5 Plus Firmware Version-
   MiRedmi 5 Plus Version-
MiRedmi Note 5a Prime Firmware Version-
   MiRedmi Note 5a Prime Version-
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 10.01% 0.95
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

http://packetstormsecurity.com/files/163796/Xiaomi-10.2.4.g-Information-Disclosure.html
Third Party Advisory
Exploit
VDB Entry
https://sec.xiaomi.com
Vendor Advisory
Broken Link
https://vishwarajbhattrai.wordpress.com/2019/03/22/content-provider-injection-in-xiaomi-stock-browser
Third Party Advisory
Exploit