Vulnerabilities > MI > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-11-14 CVE-2019-15470 Unspecified vulnerability in MI Redmi Note 6 PRO Firmware
The Xiaomi Redmi Note 6 Pro Android device with a build fingerprint of xiaomi/tulip/tulip:8.1.0/OPM1.171019.011/V10.2.2.0.OEKMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component.
local
low complexity
mi
5.5
2019-11-14 CVE-2019-15469 Unspecified vulnerability in MI PAD 4 Firmware
The Xiaomi Mi Pad 4 Android device with a build fingerprint of Xiaomi/clover/clover:8.1.0/OPM1.171019.019/V9.6.26.0.ODJCNFD:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component.
local
low complexity
mi
5.5
2019-11-14 CVE-2019-15468 Externally Controlled Reference to a Resource in Another Sphere vulnerability in MI A2 Lite Firmware
The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/daisy/daisy_sprout:9/PKQ1.180917.001/V10.0.3.0.PDLMIXM:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201812071953) that allows unauthorized wireless settings modification via a confused deputy attack.
local
low complexity
mi CWE-610
5.5
2019-06-07 CVE-2018-20523 Command Injection vulnerability in MI products
Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones allows content provider injection.
network
low complexity
mi CWE-77
5.3
2019-06-06 CVE-2019-12762 Xiaomi Mi 5s Plus devices allow attackers to trigger touchscreen anomalies via a radio signal between 198 kHz and 203 kHz, as demonstrated by a transmitter and antenna hidden just beneath the surface of a coffee-shop table, aka Ghost Touch.
high complexity
mi sony samsung google sharp fujitsu
4.2
2019-05-31 CVE-2019-12500 Missing Authentication for Critical Function vulnerability in MI M365 Firmware
The Xiaomi M365 scooter 2019-02-12 before 1.5.1 allows spoofing of "suddenly accelerate" commands.
low complexity
mi CWE-306
6.5
2019-04-05 CVE-2019-10875 Authentication Bypass by Spoofing vulnerability in MI Browser and Mint Browser
A URL spoofing vulnerability was found in all international versions of Xiaomi Mi browser 10.5.6-g (aka the MIUI native browser) and Mint Browser 1.5.3 due to the way they handle the "q" query parameter.
network
low complexity
mi CWE-290
6.5
2019-02-17 CVE-2019-8413 NULL Pointer Dereference vulnerability in MI MIX 2 Firmware 4.4.78
On Xiaomi MIX 2 devices with the 4.4.78 kernel, a NULL pointer dereference in the ioctl interface of the device file /dev/elliptic1 or /dev/elliptic0 causes a system crash via IOCTL 0x4008c575 (aka decimal 1074316661).
local
low complexity
mi CWE-476
5.5
2018-11-27 CVE-2018-13022 Cross-site Scripting vulnerability in MI Miwifi OS 2.22.15
Cross-site scripting vulnerability in the API 404 page on Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary JavaScript via a modified URL path.
network
low complexity
mi CWE-79
6.1