Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-20523

Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones allows content provider injection. In other words, a third-party application can read the user's cleartext browser history via an app.provider.query content://com.android.browser.searchhistory/searchhistory request.

Published

2019-06-07T16:29:00.440

Last Modified

2024-11-21T04:01:39.083

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-77

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	mi	stock_browser	10.2.4g	Yes
Operating System	mi	redmi_7_firmware	-	Yes
Hardware	mi	redmi_7	-	No
Operating System	mi	redmi_note_7_firmware	-	Yes
Hardware	mi	redmi_note_7	-	No
Operating System	mi	redmi_note_6_pro_firmware	-	Yes
Hardware	mi	redmi_note_6_pro	-	No
Operating System	mi	redmi_6_firmware	-	Yes
Hardware	mi	redmi_6	-	No
Operating System	mi	redmi_6a_firmware	-	Yes
Hardware	mi	redmi_6a	-	No
Operating System	mi	redmi_s2_firmware	-	Yes
Hardware	mi	redmi_s2	-	No
Operating System	mi	redmi_note_5_pro_firmware	-	Yes
Hardware	mi	redmi_note_5_pro	-	No
Operating System	mi	redmi_k20_pro_firmware	-	Yes
Hardware	mi	redmi_k20_pro	-	No
Operating System	mi	redmi_k20_firmware	-	Yes
Hardware	mi	redmi_k20	-	No
Operating System	mi	redmi_7a_firmware	-	Yes
Hardware	mi	redmi_7a	-	No
Operating System	mi	redmi_go_firmware	-	Yes
Hardware	mi	redmi_go	-	No
Operating System	mi	redmi_note_5_firmware	-	Yes
Hardware	mi	redmi_note_5	-	No
Operating System	mi	redmi_y3_firmware	-	Yes
Hardware	mi	redmi_y3	-	No
Operating System	mi	redmi_note_7s_firmware	-	Yes
Hardware	mi	redmi_note_7s	-	No
Operating System	mi	redmi_s2_firmware	-	Yes
Hardware	mi	redmi_s2	-	No
Operating System	mi	redmi_4a_firmware	-	Yes
Hardware	mi	redmi_4a	-	No
Operating System	mi	redmi_note_4_firmware	-	Yes
Hardware	mi	redmi_note_4	-	No
Operating System	mi	redmi_5_plus_firmware	-	Yes
Hardware	mi	redmi_5_plus	-	No
Operating System	mi	redmi_note_5a_prime_firmware	-	Yes
Hardware	mi	redmi_note_5a_prime	-	No

References

http://packetstormsecurity.com/files/163796/Xiaomi-10.2.4.g-Information-Disclosure.html Exploit, Third Party Advisory, VDB Entry ([email protected])
https://sec.xiaomi.com Broken Link, Vendor Advisory ([email protected])
https://vishwarajbhattrai.wordpress.com/2019/03/22/content-provider-injection-in-xiaomi-stock-browser Exploit, Third Party Advisory ([email protected])
http://packetstormsecurity.com/files/163796/Xiaomi-10.2.4.g-Information-Disclosure.html Exploit, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://sec.xiaomi.com Broken Link, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://vishwarajbhattrai.wordpress.com/2019/03/22/content-provider-injection-in-xiaomi-stock-browser Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)