First published: Mon Feb 10 2020(Updated: )
This vulnerability allows network adjacent attackers to execute arbitrary code on affected installations of Xiaomi Browser Prior to 10.4.0. User interaction is required to exploit this vulnerability in that the target must connect to a malicious access point. The specific flaw exists within the handling of HTTP responses to the Captive Portal. A crafted HTML response can cause the Captive Portal to to open a browser to a specified location without user interaction. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-7467.
Credit: zdi-disclosures@trendmicro.com
Affected Software | Affected Version | How to fix |
---|---|---|
Xiaomi Browser | ||
mi Mi browser | <10.4.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this vulnerability is CVE-2019-13321.
The affected software is Xiaomi Browser prior to version 10.4.0.
The severity of CVE-2019-13321 is high with a severity value of 8.
This vulnerability allows network adjacent attackers to execute arbitrary code on affected installations of Xiaomi Browser prior to version 10.4.0 by exploiting a flaw within the handling of captive portal WebView authorization.
Yes, user interaction is required to exploit CVE-2019-13321 as the target must connect to a malicious access point.