Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-33057

The QQ application 8.7.1 for Android and iOS does not enforce the permission requirements (e.g., android.permission.ACCESS_FINE_LOCATION) for determining the device's physical location. An attacker can use qq.createMapContext to create a MapContext object, use MapContext.moveToLocation to move the center of the map to the device's location, and use MapContext.getCenterLocation to get the latitude and longitude of the current map center.

Published

2022-07-26T23:15:07.987

Last Modified

2024-11-21T06:08:11.827

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Primary
CWE-862

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	tencent	qq	8.7.1	Yes
Application	tencent	qq	8.7.1	Yes

References

https://arxiv.org/pdf/2205.15202.pdf Technical Description, Third Party Advisory ([email protected])
https://github.com/BESTICSP/Vulnerabilities-Related-to-Mini-Programs-Permissions/blob/main/QQ%20applet%20location%20permission%20vulnerability%20report.pdf Exploit, Third Party Advisory ([email protected])
https://tencent.com Vendor Advisory ([email protected])
https://arxiv.org/pdf/2205.15202.pdf Technical Description, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/BESTICSP/Vulnerabilities-Related-to-Mini-Programs-Permissions/blob/main/QQ%20applet%20location%20permission%20vulnerability%20report.pdf Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://tencent.com Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)