ZDI-20-288: (Pwn2Own) Xiaomi GetApps Intent Privilege Escalation Vulnerability
This vulnerability allows local attackers to escalate privileges on affected installations of Xiaomi GetApps. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of intents. The issue lies in the ability to send an intent that would not otherwise be permitted. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the application.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xiaomi Mi6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of ZDI-20-288?
The severity of ZDI-20-288 is critical due to its potential for privilege escalation.
How do I fix ZDI-20-288?
To fix ZDI-20-288, update the Xiaomi GetApps application to the latest version provided by Xiaomi.
Who is affected by ZDI-20-288?
ZDI-20-288 affects users of the Xiaomi Mi6 device with the vulnerable version of Xiaomi GetApps installed.
What type of exploit is ZDI-20-288 associated with?
ZDI-20-288 is associated with local privilege escalation exploits.
Can ZDI-20-288 be exploited remotely?
No, ZDI-20-288 requires local access to the device to execute the exploit.
- agent/type
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-20-288
- alias/ZDI-CAN-9657
- alias/CVE-2020-9531
- agent/software-canonical-lookup
- agent/references
- agent/severity
- agent/title
- agent/softwarecombine
- agent/description
- agent/event
- agent/tags
- agent/source
- vendor/xiaomi
- canonical/xiaomi mi6