First published: Fri Apr 05 2019(Updated: )
A URL spoofing vulnerability was found in all international versions of Xiaomi Mi browser 10.5.6-g (aka the MIUI native browser) and Mint Browser 1.5.3 due to the way they handle the "q" query parameter. The portion of an https URL before the ?q= substring is not shown to the user.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
mi Mi browser | =10.5.6-g | |
Mi Mint Browser | =1.5.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-10875 is a URL spoofing vulnerability found in all international versions of Xiaomi Mi browser 10.5.6-g and Mint Browser 1.5.3.
CVE-2019-10875 allows an attacker to spoof URLs by manipulating the "q" query parameter in the affected browsers.
The severity of CVE-2019-10875 is medium, with a severity value of 6.5.
To fix CVE-2019-10875, update Xiaomi Mi browser to version 10.6.1-g or later, and update Mint Browser to version 2.4.1 or later.
Yes, you can find references for CVE-2019-10875 at the following links: [Packet Storm](http://packetstormsecurity.com/files/152497/Xiaomi-Mi-Browser-Mint-Browser-URL-Spoofing.html), [Xiaomi Security Response Center](https://sec.xiaomi.com/bug/5bedef67a31ec71e), and [The Hacker News](https://thehackernews.com/2019/04/xiaomi-browser-vulnerability.html).