Remote code vulnerabilities in Xiaomi Pro 13 smartphone (CVE-2024-4406, CVE-2024-4405, CVE-2023-26322)

Advisory No: TZCERT/SA/2024/05/02-3

Date of First Release: 2^nd May 2024

Source: Zero-Day Initiative

Software Affected: Xiaomi Pro 13

Overview:

Xiaomi Pro is vulnerable to three (3) critical vulnerabilities. The attackers can leverage the vulnerabilities to gain access to the affected smartphone.

Description:

The three vulnerabilities rated at 8.8 and tracked as CVE-2024-4406, CVE-2024-4405, and CVE-2023-26322 are affecting the Xiaomi Pro 13 smartphone. The flaws exist in integral-dialog-page.html file, manual-upgrade.html file and within the isUrlMatchLevel method leading to the injection of an arbitrary script. The attackers can exploit the vulnerability to execute codes in the context of the current user.

Impact:

Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected smartphone.

Solution:

Xiaomi has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

1. https://www.zerodayinitiative.com/advisories/ZDI-24-419/
2. https://www.zerodayinitiative.com/advisories/ZDI-24-418/
3. https://www.zerodayinitiative.com/advisories/ZDI-24-417/