Vulnerabilities > MI > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-11-14 | CVE-2019-15470 | Unspecified vulnerability in MI Redmi Note 6 PRO Firmware The Xiaomi Redmi Note 6 Pro Android device with a build fingerprint of xiaomi/tulip/tulip:8.1.0/OPM1.171019.011/V10.2.2.0.OEKMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component. | 5.5 |
| 2019-11-14 | CVE-2019-15469 | Unspecified vulnerability in MI PAD 4 Firmware The Xiaomi Mi Pad 4 Android device with a build fingerprint of Xiaomi/clover/clover:8.1.0/OPM1.171019.019/V9.6.26.0.ODJCNFD:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component. | 5.5 |
| 2019-11-14 | CVE-2019-15468 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in MI A2 Lite Firmware The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/daisy/daisy_sprout:9/PKQ1.180917.001/V10.0.3.0.PDLMIXM:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201812071953) that allows unauthorized wireless settings modification via a confused deputy attack. | 5.5 |
| 2019-06-07 | CVE-2018-20523 | Command Injection vulnerability in MI products Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones allows content provider injection. | 5.3 |
| 2019-06-06 | CVE-2019-12762 | Xiaomi Mi 5s Plus devices allow attackers to trigger touchscreen anomalies via a radio signal between 198 kHz and 203 kHz, as demonstrated by a transmitter and antenna hidden just beneath the surface of a coffee-shop table, aka Ghost Touch. | 4.2 |
| 2019-05-31 | CVE-2019-12500 | Missing Authentication for Critical Function vulnerability in MI M365 Firmware The Xiaomi M365 scooter 2019-02-12 before 1.5.1 allows spoofing of "suddenly accelerate" commands. | 6.5 |
| 2019-04-05 | CVE-2019-10875 | Authentication Bypass by Spoofing vulnerability in MI Browser and Mint Browser A URL spoofing vulnerability was found in all international versions of Xiaomi Mi browser 10.5.6-g (aka the MIUI native browser) and Mint Browser 1.5.3 due to the way they handle the "q" query parameter. | 6.5 |
| 2019-02-17 | CVE-2019-8413 | NULL Pointer Dereference vulnerability in MI MIX 2 Firmware 4.4.78 On Xiaomi MIX 2 devices with the 4.4.78 kernel, a NULL pointer dereference in the ioctl interface of the device file /dev/elliptic1 or /dev/elliptic0 causes a system crash via IOCTL 0x4008c575 (aka decimal 1074316661). | 5.5 |
| 2018-11-27 | CVE-2018-13022 | Cross-site Scripting vulnerability in MI Miwifi OS 2.22.15 Cross-site scripting vulnerability in the API 404 page on Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary JavaScript via a modified URL path. | 6.1 |