Sign-up

ID

VAR-202003-1399


CVE

CVE-2020-9530


TITLE

Xiaomi MIUI Information leakage vulnerabilities in devices

Trust: 0.8

sources: JVNDB: JVNDB-2020-002531

DESCRIPTION

An issue was discovered on Xiaomi MIUI V11.0.5.0.QFAEUXM devices. The export component of GetApps(com.xiaomi.mipicks) mishandles the functionality of opening other components. Attackers need to induce users to open specific web pages in a specific network environment. By jumping to the WebView component of Messaging(com.android.MMS) and loading malicious web pages, information leakage can occur. This is fixed on version: 2001122; 11.0.1.54. Xiaomi MIUI The device contains a vulnerability related to information leakage.Information may be obtained. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xiaomi Mi9 Browser. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of manualUpgradeInfo objects. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to execute code in the context of the current process. Xiaomi MIUI is an Android-based smartphone operating system developed by China's Xiaomi Technology Company (Xiaomi). There is a security vulnerability in Xiaomi MIUI V11.0.5.0.QFAEUXM version, the vulnerability stems from the fact that the program does not properly handle the function used to open other components. An attacker can exploit this vulnerability to obtain information through a specially crafted web page

Trust: 2.34

sources: NVD: CVE-2020-9530 // JVNDB: JVNDB-2020-002531 // ZDI: ZDI-20-289 // VULHUB: VHN-187655

AFFECTED PRODUCTS

vendor:mimodel:miuiscope:eqversion:11.0.5.0.qfaeuxm

Trust: 1.6

vendor:xiaomimodel:miuiscope:eqversion:11.0.5.0.qfaeuxm

Trust: 0.8

vendor:xiaomimodel:browserscope: - version: -

Trust: 0.7

vendor:mimodel:miuiscope:eqversion: -

Trust: 0.6

sources: ZDI: ZDI-20-289 // JVNDB: JVNDB-2020-002531 // CNNVD: CNNVD-202003-246 // NVD: CVE-2020-9530

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-9530
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-002531
value: MEDIUM

Trust: 0.8

ZDI: CVE-2020-9530
value: HIGH

Trust: 0.7

CNNVD: CNNVD-202003-246
value: MEDIUM

Trust: 0.6

VULHUB: VHN-187655
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-9530
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-002531
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-187655
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-9530
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-002531
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2020-9530
baseSeverity: HIGH
baseScore: 8.8
vectorString: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-20-289 // VULHUB: VHN-187655 // JVNDB: JVNDB-2020-002531 // CNNVD: CNNVD-202003-246 // NVD: CVE-2020-9530

PROBLEMTYPE DATA

problemtype:CWE-94

Trust: 1.1

problemtype:CWE-200

Trust: 0.9

sources: VULHUB: VHN-187655 // JVNDB: JVNDB-2020-002531 // NVD: CVE-2020-9530

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-246

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-202003-246

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-002531

PATCH
title:Thank you Letter | Thanks to FSecureLabs for supporting Xiaomi Securityurl:https://sec.xiaomi.com/post/180
Trust: 0.8
title:Xiaomi MIUI Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=111273
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-002531 // 
            
            
            
            CNNVD: CNNVD-202003-246

EXTERNAL IDS
db:NVDid:CVE-2020-9530
Trust: 3.2
db:ZDIid:ZDI-20-289
Trust: 2.4
db:JVNDBid:JVNDB-2020-002531
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-9665
Trust: 0.7
db:CNNVDid:CNNVD-202003-246
Trust: 0.7
db:CNVDid:CNVD-2020-16489
Trust: 0.1
db:VULHUBid:VHN-187655
Trust: 0.1
sources:
            
            
            ZDI: ZDI-20-289 // 
            
            
            
            VULHUB: VHN-187655 // 
            
            
            
            JVNDB: JVNDB-2020-002531 // 
            
            
            
            CNNVD: CNNVD-202003-246 // 
            
            
            
            NVD: CVE-2020-9530

REFERENCES
url:https://sec.xiaomi.com/post/180
Trust: 1.7
url:https://www.zerodayinitiative.com/advisories/zdi-20-289/
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2020-9530
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9530
Trust: 0.8
sources:
            
            
            VULHUB: VHN-187655 // 
            
            
            
            JVNDB: JVNDB-2020-002531 // 
            
            
            
            CNNVD: CNNVD-202003-246 // 
            
            
            
            NVD: CVE-2020-9530

CREDITS
@fluoroacetate
Trust: 0.7
sources:
            
            
            ZDI: ZDI-20-289

SOURCES
db:ZDIid:ZDI-20-289
db:VULHUBid:VHN-187655
db:JVNDBid:JVNDB-2020-002531
db:CNNVDid:CNNVD-202003-246
db:NVDid:CVE-2020-9530

LAST UPDATE DATE
2024-11-23T22:48:03.148000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-20-289date:2020-03-12T00:00:00
db:VULHUBid:VHN-187655date:2021-07-21T00:00:00
db:JVNDBid:JVNDB-2020-002531date:2020-03-18T00:00:00
db:CNNVDid:CNNVD-202003-246date:2020-03-13T00:00:00
db:NVDid:CVE-2020-9530date:2024-11-21T05:40:48.940

SOURCES RELEASE DATE
db:ZDIid:ZDI-20-289date:2020-03-12T00:00:00
db:VULHUBid:VHN-187655date:2020-03-06T00:00:00
db:JVNDBid:JVNDB-2020-002531date:2020-03-18T00:00:00
db:CNNVDid:CNNVD-202003-246date:2020-03-06T00:00:00
db:NVDid:CVE-2020-9530date:2020-03-06T17:15:12.493