CVE-2023-26316

Published: Aug 2, 2023Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

A XSS vulnerability exists in the Xiaomi cloud service Application product. The vulnerability is caused by Webview's whitelist checking function allowing javascript protocol to be loaded and can be exploited by attackers to steal Xiaomi cloud service account's cookies.

Affected (1)

Products: Mi: Xiaomi Cloud

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mi Xiaomi Cloud	Up to 1.12.0.0.25

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=322

Source: security@xiaomi.com

Vendor Advisory

https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=322

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.