CVE-2020-9530

An issue was discovered on Xiaomi MIUI V11.0.5.0.QFAEUXM devices. The export component of GetApps(com.xiaomi.mipicks) mishandles the functionality of opening other components. Attackers need to induce users to open specific web pages in a specific network environment. By jumping to the WebView component of Messaging(com.android.MMS) and loading malicious web pages, information leakage can occur. This is fixed on version: 2001122; 11.0.1.54.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://sec.xiaomi.com/post/180	Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-20-289/	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:o:mi:miui_firmware:11.0.5.0.qfaeuxm:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-03-06 17:15

Updated : 2023-12-10 13:13

NVD link : CVE-2020-9530

Mitre link : CVE-2020-9530

CVE.ORG link : CVE-2020-9530

JSON object : View

Products Affected

mi

miui_firmware

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2020-9530", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2020-03-06T17:15:12.493", "references": [{"url": "https://sec.xiaomi.com/post/180", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-289/", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on Xiaomi MIUI V11.0.5.0.QFAEUXM devices. The export component of GetApps(com.xiaomi.mipicks) mishandles the functionality of opening other components. Attackers need to induce users to open specific web pages in a specific network environment. By jumping to the WebView component of Messaging(com.android.MMS) and loading malicious web pages, information leakage can occur. This is fixed on version: 2001122; 11.0.1.54."}, {"lang": "es", "value": "Se ha detectado un problema en los dispositivos Xiaomi MIUI versi\u00f3n V11.0.5.0.QFAEUXM. El componente export de GetApps(com.xiaomi.mipicks) maneja inapropiadamente la funcionalidad de abrir otros componentes. Los atacantes necesitan inducir a usuarios a abrir p\u00e1ginas web espec\u00edficas en un entorno de red espec\u00edfico. Al saltar al componente WebView de Messaging(com.android.MMS) y cargando p\u00e1ginas web maliciosas, puede ocurrir un filtrado de informaci\u00f3n. Esto es corregido en la versi\u00f3n: 2001122; 11.0.1.54."}], "lastModified": "2021-07-21T11:39:23.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:mi:miui_firmware:11.0.5.0.qfaeuxm:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "63CFF65D-314B-4414-ADAC-72B10C9E3741"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}