7.5

CVE-2021-33057

Exploit

EPSS 0.34%
Veröffentlicht 26.07.2022 23:15:07
Zuletzt bearbeitet 21.11.2024 06:08:11
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

The QQ application 8.7.1 for Android and iOS does not enforce the permission requirements (e.g., android.permission.ACCESS_FINE_LOCATION) for determining the device's physical location. An attacker can use qq.createMapContext to create a MapContext object, use MapContext.moveToLocation to move the center of the map to the device's location, and use MapContext.getCenterLocation to get the latitude and longitude of the current map center.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tencent ≫ Qq Version8.7.1 SwPlatformandroid

Tencent ≫ Qq Version8.7.1 SwPlatformiphone_os

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.34%	0.562

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://arxiv.org/pdf/2205.15202.pdf

Third Party Advisory

Technical Description

https://github.com/BESTICSP/Vulnerabilities-Related-to-Mini-Programs-Permissions/blob/main/QQ%20applet%20location%20permission%20vulnerability%20report.pdf

Third Party Advisory

Exploit

https://tencent.com

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-33057

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-33057

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-33057

EUVD