Filtered by vendor Mi Subscriptions
Total 100 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-26317 1 Mi 1 Xiaomi Router Firmware 2024-10-16 7 High
Xiaomi routers have an external interface that can lead to command injection. The vulnerability is caused by lax filtering of responses from external interfaces. Attackers can exploit this vulnerability to gain access to the router by hijacking the ISP or upper-layer routing.
CVE-2023-26320 2 Mi, Xiaomi 3 Xiaomi Router Ax3200, Xiaomi Router Ax3200 Firmware, Xiaomi Router 2024-10-08 7.5 High
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection.
CVE-2023-26319 2 Mi, Xiaomi 3 Xiaomi Router Ax3200, Xiaomi Router Ax3200 Firmware, Xiaomi Router 2024-10-08 6.7 Medium
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection.
CVE-2023-26315 1 Mi 2 Ax9000, Ax9000 Firmware 2024-10-08 6.5 Medium
The Xiaomi router AX9000 has a post-authentication command injection vulnerability. This vulnerability is caused by the lack of input filtering, allowing an attacker to exploit it to obtain root access to the device.
CVE-2023-26316 1 Mi 1 Xiaomi Cloud 2024-09-27 6.1 Medium
A XSS vulnerability exists in the Xiaomi cloud service Application product. The vulnerability is caused by Webview's whitelist checking function allowing javascript protocol to be loaded and can be exploited by attackers to steal Xiaomi cloud service account's cookies.
CVE-2024-45348 1 Mi 1 Ax9000 Firmware 2024-09-26 6.4 Medium
Xiaomi Router AX9000 has a post-authorization command injection vulnerability. This vulnerability is caused by the lack of validation of user input, and an attacker can exploit this vulnerability to execute arbitrary code.
CVE-2023-26323 1 Mi 1 App Market 2024-09-20 7.6 High
A code execution vulnerability exists in the Xiaomi App market product. The vulnerability is caused by unsafe configuration and can be exploited by attackers to execute arbitrary code.
CVE-2023-27346 1 Mi 1 Ax1800 Firmware 2024-09-18 N/A
TP-Link AX1800 Firmware Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link AX1800 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of firmware images. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-19703.
CVE-2023-26318 2 Mi, Xiaomi 3 Xiaomi Router Ax3200, Xiaomi Router Ax3200 Firmware, Xiaomi Router 2024-09-18 6.7 Medium
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Xiaomi Xiaomi Router allows Overflow Buffers.
CVE-2023-26324 2 Mi, Xiaomi 2 Getapps, Getapps Application 2024-09-12 8.8 High
A code execution vulnerability exists in the XiaomiGetApps application product. This vulnerability is caused by the verification logic being bypassed, and an attacker can exploit this vulnerability to execute malicious code.
CVE-2023-26322 2 Mi, Xiaomi 2 Getapps, Getapps Application 2024-09-12 8.8 High
A code execution vulnerability exists in the XiaomiGetApps application product. This vulnerability is caused by the verification logic being bypassed, and an attacker can exploit this vulnerability to execute malicious code.
CVE-2023-26321 1 Mi 1 File Manager 2024-09-12 6.3 Medium
A path traversal vulnerability exists in the Xiaomi File Manager application product(international version). The vulnerability is caused by unfiltered special characters and can be exploited by attackers to overwrite and execute code in the file.
CVE-2018-20823 1 Mi 2 Mi 5s, Mi 5s Firmware 2024-08-05 N/A
The gyroscope on Xiaomi Mi 5s devices allows attackers to cause a denial of service (resonance and false data) via a 20.4 kHz audio signal, aka a MEMS ultrasound attack.
CVE-2018-20523 1 Mi 37 Redmi 4a, Redmi 4a Firmware, Redmi 5 Plus and 34 more 2024-08-05 5.3 Medium
Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones allows content provider injection. In other words, a third-party application can read the user's cleartext browser history via an app.provider.query content://com.android.browser.searchhistory/searchhistory request.
CVE-2018-19939 1 Mi 4 Mi A2 Lite, Mi A2 Lite Firmware, Redmi 6 and 1 more 2024-08-05 7.5 High
The Goodix GT9xx touchscreen driver for custom Linux kernels on Xiaomi daisy-o-oss and daisy-p-oss as used in Mi A2 Lite and RedMi6 pro devices through 2018-08-27 has a NULL pointer dereference in kfree after a kmalloc failure in gtp_read_Color in drivers/input/touchscreen/gt917d/gt9xx.c.
CVE-2018-18698 1 Mi 2 Xiaomi Mi-a1, Xiaomi Mi-a1 Firmware 2024-08-05 N/A
An issue was discovered on Xiaomi Mi A1 tissot_sprout:8.1.0/OPM1.171019.026/V9.6.4.0.ODHMIFE devices. They store cleartext Wi-Fi passwords in logcat during the process of setting up the phone as a hotspot.
CVE-2018-16307 1 Mi 2 Xiaomi Miwifi Xiaomi 55dd, Xiaomi Miwifi Xiaomi 55dd Firmware 2024-08-05 N/A
An "Out-of-band resource load" issue was discovered on Xiaomi MIWiFi Xiaomi_55DD Version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a random string) is used in the HTTP Host header, the application performs an HTTP request to the specified domain. The response from that request is then included in the application's own response.
CVE-2018-16130 1 Mi 2 Mi Router 3, Miwifi Os 2024-08-05 N/A
System command injection in request_mitv in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary system commands via the "payload" URL parameter.
CVE-2018-14010 1 Mi 7 Xiaomi R3, Xiaomi R3c, Xiaomi R3c Firmware and 4 more 2024-08-05 N/A
OS command injection in the guest Wi-Fi settings feature in /cgi-bin/luci on Xiaomi R3P before 2.14.5, R3C before 2.12.15, R3 before 2.22.15, and R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data.
CVE-2018-14060 1 Mi 2 Xiaomi R3d, Xiaomi R3d Firmware 2024-08-05 N/A
OS command injection in the AP mode settings feature in /cgi-bin/luci /api/misystem/set_router_wifiap on Xiaomi R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data.