CVE-2023-26316

EPSS 0.37%
Published 02.08.2023 14:15:10
Last modified 21.11.2024 07:51:06
Source security@xiaomi.com
Teams watchlist Login
Open Login

A XSS vulnerability exists in the Xiaomi cloud service Application product. The vulnerability is caused by Webview's whitelist checking function allowing javascript protocol to be loaded and can be exploited by attackers to steal Xiaomi cloud service account's cookies.

Affected products Warnungen 0 Metrics 2 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Mi ≫ Xiaomi Cloud Version <= 1.12.0.0.25

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.37%	0.576

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=322

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-26316

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-26316

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-26316

EUVD