Filtered by vendor Mi
Subscriptions
Total
100 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2018-13023 | 1 Mi | 2 Mi Router 3, Miwifi Os | 2024-08-05 | N/A |
System command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute system commands via the "timeout" URL parameter. | ||||
CVE-2018-13022 | 1 Mi | 2 Mi Router 3, Miwifi Os | 2024-08-05 | N/A |
Cross-site scripting vulnerability in the API 404 page on Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary JavaScript via a modified URL path. | ||||
CVE-2018-6065 | 4 Debian, Google, Mi and 1 more | 7 Debian Linux, Chrome, Mi6 Browser and 4 more | 2024-08-05 | 8.8 High |
Integer overflow in computing the required allocation size when instantiating a new javascript object in V8 in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||||
CVE-2019-18371 | 1 Mi | 2 Millet Router 3g, Millet Router 3g Firmware | 2024-08-05 | 7.5 High |
An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. There is a directory traversal vulnerability to read arbitrary files via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability, the attacker can bypass authentication. | ||||
CVE-2019-18370 | 1 Mi | 2 Millet Router 3g, Millet Router 3g Firmware | 2024-08-05 | 9.8 Critical |
An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. The backup file is in tar.gz format. After uploading, the application uses the tar zxf command to decompress, so one can control the contents of the files in the decompressed directory. In addition, the application's sh script for testing upload and download speeds reads a URL list from /tmp/speedtest_urls.xml, and there is a command injection vulnerability, as demonstrated by api/xqnetdetect/netspeed. | ||||
CVE-2019-15914 | 1 Mi | 10 Dgnwg03lm, Dgnwg03lm Firmware, Mccgq01lm and 7 more | 2024-08-05 | 7.5 High |
An issue was discovered on Xiaomi DGNWG03LM, ZNCZ03LM, MCCGQ01LM, WSDCGQ01LM, RTCGQ01LM devices. Attackers can use the ZigBee trust center rejoin procedure to perform mutiple denial of service attacks. | ||||
CVE-2019-15915 | 1 Mi | 8 Dgnwg03lm, Dgnwg03lm Firmware, Mccgq01lm and 5 more | 2024-08-05 | 7.5 High |
An issue was discovered on Xiaomi DGNWG03LM, ZNCZ03LM, MCCGQ01LM, RTCGQ01LM devices. Attackers can utilize the "discover ZigBee network procedure" to perform a denial of service attack. | ||||
CVE-2019-15913 | 1 Mi | 10 Dgnwg03lm, Dgnwg03lm Firmware, Mccgq01lm and 7 more | 2024-08-05 | 9.8 Critical |
An issue was discovered on Xiaomi DGNWG03LM, ZNCZ03LM, MCCGQ01LM, WSDCGQ01LM, RTCGQ01LM devices. Because of insecure key transport in ZigBee communication, causing attackers to gain sensitive information and denial of service attack, take over smart home devices, and tamper with messages. | ||||
CVE-2019-15843 | 1 Mi | 1 Xiaomi Millet Firmware | 2024-08-05 | 7.4 High |
A malicious file upload vulnerability was discovered in Xiaomi Millet mobile phones 1-6.3.9.3. A particular condition involving a man-in-the-middle attack may lead to partial data leakage or malicious file writing. | ||||
CVE-2019-15471 | 1 Mi | 2 Mix 2s, Mix 2s Firmware | 2024-08-05 | 5.5 Medium |
The Xiaomi Mi Mix 2S Android device with a build fingerprint of Xiaomi/polaris/polaris:8.0.0/OPR1.170623.032/V9.5.19.0.ODGMIFA:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that export their capabilities to other pre-installed app. This app allows a third-party app to use its open interface to record telephone calls to external storage. | ||||
CVE-2019-15427 | 1 Mi | 2 Mix, Mix Firmware | 2024-08-05 | 3.3 Low |
The Xiaomi Mi Mix Android device with a build fingerprint of Xiaomi/lithium/lithium:6.0.1/MXB48T/7.1.5:user/release-keys contains a pre-installed app with a package name of com.miui.powerkeeper app (versionCode=40000, versionName=4.0.00) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. | ||||
CVE-2019-15473 | 1 Mi | 2 A2 Lite, A2 Lite Firmware | 2024-08-05 | 5.5 Medium |
The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/jasmine/jasmine_sprout:9/PKQ1.180904.001/V10.0.2.0.PDIMIFJ:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage. | ||||
CVE-2019-15468 | 1 Mi | 2 A2 Lite, A2 Lite Firmware | 2024-08-05 | 5.5 Medium |
The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/daisy/daisy_sprout:9/PKQ1.180917.001/V10.0.3.0.PDLMIXM:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201812071953) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. | ||||
CVE-2019-15475 | 1 Mi | 2 A3, A3 Firmware | 2024-08-05 | 5.5 Medium |
The Xiaomi Mi A3 Android device with a build fingerprint of xiaomi/onc_eea/onc:9/PKQ1.181021.001/V10.2.8.0.PFLEUXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage. | ||||
CVE-2019-15474 | 1 Mi | 2 Cepheus, Cepheus Firmware | 2024-08-05 | 5.5 Medium |
The Xiaomi Cepheus Android device with a build fingerprint of Xiaomi/cepheus/cepheus:9/PKQ1.181121.001/V10.2.6.0.PFAMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage. | ||||
CVE-2019-15470 | 1 Mi | 2 Redmi Note 6 Pro, Redmi Note 6 Pro Firmware | 2024-08-05 | 5.5 Medium |
The Xiaomi Redmi Note 6 Pro Android device with a build fingerprint of xiaomi/tulip/tulip:8.1.0/OPM1.171019.011/V10.2.2.0.OEKMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that export their capabilities to other pre-installed app. This app allows a third-party app to use its open interface to record telephone calls to external storage. | ||||
CVE-2019-15469 | 1 Mi | 2 Pad 4, Pad 4 Firmware | 2024-08-05 | 5.5 Medium |
The Xiaomi Mi Pad 4 Android device with a build fingerprint of Xiaomi/clover/clover:8.1.0/OPM1.171019.019/V9.6.26.0.ODJCNFD:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that export their capabilities to other pre-installed app. This app allows a third-party app to use its open interface to record telephone calls to external storage. | ||||
CVE-2019-15467 | 1 Mi | 2 Mix 2s, Mix 2s Firmware | 2024-08-05 | 3.3 Low |
The Xiaomi Mi Mix 2S Android device with a build fingerprint of Xiaomi/polaris/polaris:8.0.0/OPR1.170623.032/V9.5.19.0.ODGMIFA:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=A2060_201801032053) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. | ||||
CVE-2019-15472 | 1 Mi | 2 A2 Lite, A2 Lite Firmware | 2024-08-05 | 5.5 Medium |
The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/daisy/daisy_sprout:9/PKQ1.180917.001/V10.0.3.0.PDLMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage. | ||||
CVE-2019-15466 | 1 Mi | 2 Redmi 6 Pro, Redmi 6 Pro Firmware | 2024-08-05 | 3.3 Low |
The Xiaomi Redmi 6 Pro Android device with a build fingerprint of xiaomi/sakura_india/sakura_india:8.1.0/OPM1.171019.019/V10.2.6.0.ODMMIXM:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201812191721) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. |