What is CVE-2023-41387?

CVE-2023-41387 is a critical vulnerability in the flutter_downloader component through version 1.11.1 for iOS, which allows remote attackers to steal session tokens and overwrite arbitrary files inside the app's container through SQL injection.

How does CVE-2023-41387 affect my system?

CVE-2023-41387 affects the systems running the Patreon Flutter Downloader version 1.11.1 and earlier on iOS, exposing the internal database to the local user and allowing remote attackers to steal session tokens and modify files inside the app's container.

What is the severity of CVE-2023-41387?

CVE-2023-41387 has a severity rating of 9.1, which is considered critical.

How can I fix CVE-2023-41387?

To fix CVE-2023-41387, it is recommended to update the Patreon Flutter Downloader component to version 1.11.2 or above, which addresses the SQL injection vulnerability.

Where can I find more information about CVE-2023-41387?

More information about CVE-2023-41387 can be found on the official package changelog for Flutter Downloader and a blog post detailing the exploitation of iOS apps to extract session tokens and overwrite user data.

Vulnerability/
CVE-2023-41387

critical

9.1

CWE

19/9/2023

25/9/2024

CVE-2023-41387: SQL Injection

First published: Tue Sep 19 2023(Updated: )

A SQL injection in the flutter_downloader component through 1.11.1 for iOS allows remote attackers to steal session tokens and overwrite arbitrary files inside the app's container. The internal database of the framework is exposed to the local user if an app uses UIFileSharingEnabled and LSSupportsOpeningDocumentsInPlace properties. As a result, local users can obtain the same attack primitives as remote attackers by tampering with the internal database of the framework on the device.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
Patreon Flutter Downloader	<1.11.2
Apple iPhone OS

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-41387?
CVE-2023-41387 is a critical vulnerability in the flutter_downloader component through version 1.11.1 for iOS, which allows remote attackers to steal session tokens and overwrite arbitrary files inside the app's container through SQL injection.
How does CVE-2023-41387 affect my system?
CVE-2023-41387 affects the systems running the Patreon Flutter Downloader version 1.11.1 and earlier on iOS, exposing the internal database to the local user and allowing remote attackers to steal session tokens and modify files inside the app's container.
What is the severity of CVE-2023-41387?
CVE-2023-41387 has a severity rating of 9.1, which is considered critical.
How can I fix CVE-2023-41387?
To fix CVE-2023-41387, it is recommended to update the Patreon Flutter Downloader component to version 1.11.2 or above, which addresses the SQL injection vulnerability.
Where can I find more information about CVE-2023-41387?
More information about CVE-2023-41387 can be found on the official package changelog for Flutter Downloader and a blog post detailing the exploitation of iOS apps to extract session tokens and overwrite user data.

collector/nvd-api
collector/nvd-index
agent/weakness
agent/references
agent/severity
agent/author
agent/type
agent/event
agent/description
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
agent/tags
collector/mitre-cve
source/MITRE
vendor/patreon
canonical/patreon flutter downloader
vendor/apple
canonical/apple iphone os

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.