CVE-2019-10875 - Vulnerability Details - OpenCVE

A URL spoofing vulnerability was found in all international versions of Xiaomi Mi browser 10.5.6-g (aka the MIUI native browser) and Mint Browser 1.5.3 due to the way they handle the "q" query parameter. The portion of an https URL before the ?q= substring is not shown to the user.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mi	Mi Browser Mint Browser

Configuration 1 [-]

OR	cpe:2.3:a:mi:mi_browser:10.5.6-g:::::::*
	cpe:2.3:a:mi:mint_browser:1.5.3:::::::*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/152497/Xiaomi-Mi-Browser-Mint-Browser-URL-Spoofing.html
https://sec.xiaomi.com/bug/5bedef67a31ec71e
https://thehackernews.com/2019/04/xiaomi-browser-vulnerability.html
https://www.andmp.com/2019/04/xiaomi-url-spoofing-w-ssl-vulnerability.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-04-05T12:36:49

Updated: 2024-08-04T22:32:02.097Z

Reserved: 2019-04-04T00:00:00

Link: CVE-2019-10875

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-04-05T13:29:00.240

Modified: 2024-11-21T04:20:01.347

Link: CVE-2019-10875

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A URL spoofing vulnerability was found in all international versions of Xiaomi Mi browser 10.5.6-g (aka the MIUI native browser) and Mint Browser 1.5.3 due to the way they handle the \"q\" query parameter. The portion of an https URL before the ?q= substring is not shown to the user."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-04-14T22:06:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://sec.xiaomi.com/bug/5bedef67a31ec71e"}, {"tags": ["x_refsource_MISC"], "url": "https://thehackernews.com/2019/04/xiaomi-browser-vulnerability.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.andmp.com/2019/04/xiaomi-url-spoofing-w-ssl-vulnerability.html"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/152497/Xiaomi-Mi-Browser-Mint-Browser-URL-Spoofing.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-10875", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A URL spoofing vulnerability was found in all international versions of Xiaomi Mi browser 10.5.6-g (aka the MIUI native browser) and Mint Browser 1.5.3 due to the way they handle the \"q\" query parameter. The portion of an https URL before the ?q= substring is not shown to the user."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://sec.xiaomi.com/bug/5bedef67a31ec71e", "refsource": "MISC", "url": "https://sec.xiaomi.com/bug/5bedef67a31ec71e"}, {"name": "https://thehackernews.com/2019/04/xiaomi-browser-vulnerability.html", "refsource": "MISC", "url": "https://thehackernews.com/2019/04/xiaomi-browser-vulnerability.html"}, {"name": "https://www.andmp.com/2019/04/xiaomi-url-spoofing-w-ssl-vulnerability.html", "refsource": "MISC", "url": "https://www.andmp.com/2019/04/xiaomi-url-spoofing-w-ssl-vulnerability.html"}, {"name": "http://packetstormsecurity.com/files/152497/Xiaomi-Mi-Browser-Mint-Browser-URL-Spoofing.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/152497/Xiaomi-Mi-Browser-Mint-Browser-URL-Spoofing.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:32:02.097Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://sec.xiaomi.com/bug/5bedef67a31ec71e"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://thehackernews.com/2019/04/xiaomi-browser-vulnerability.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.andmp.com/2019/04/xiaomi-url-spoofing-w-ssl-vulnerability.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/152497/Xiaomi-Mi-Browser-Mint-Browser-URL-Spoofing.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-10875", "datePublished": "2019-04-05T12:36:49", "dateReserved": "2019-04-04T00:00:00", "dateUpdated": "2024-08-04T22:32:02.097Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mi:mi_browser:10.5.6-g:*:*:*:*:*:*:*", "matchCriteriaId": "8017F472-7781-4132-A4C3-C7A6033DB9B4", "vulnerable": true}, {"criteria": "cpe:2.3:a:mi:mint_browser:1.5.3:*:*:*:*:*:*:*", "matchCriteriaId": "F7145737-A191-4864-9E20-6BCEF7478468", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A URL spoofing vulnerability was found in all international versions of Xiaomi Mi browser 10.5.6-g (aka the MIUI native browser) and Mint Browser 1.5.3 due to the way they handle the \"q\" query parameter. The portion of an https URL before the ?q= substring is not shown to the user."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de suplantaci\u00f3n de URL en todas las versiones internacionales del navegador de Xiaomi Mi (tambi\u00e9n conocido como el navegador nativo MIUI), en su versi\u00f3n 10.5.6-g, y de Mint Browser, en su versi\u00f3n 1.5.3, en la manera en la que gestionan el par\u00e1metro de consultas \"q\". La porci\u00f3n de una URL https antes de la subcadena ?q= no se muestra al usuario."}], "id": "CVE-2019-10875", "lastModified": "2024-11-21T04:20:01.347", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-05T13:29:00.240", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/152497/Xiaomi-Mi-Browser-Mint-Browser-URL-Spoofing.html"}, {"source": "cve@mitre.org", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://sec.xiaomi.com/bug/5bedef67a31ec71e"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://thehackernews.com/2019/04/xiaomi-browser-vulnerability.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.andmp.com/2019/04/xiaomi-url-spoofing-w-ssl-vulnerability.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/152497/Xiaomi-Mi-Browser-Mint-Browser-URL-Spoofing.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://sec.xiaomi.com/bug/5bedef67a31ec71e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://thehackernews.com/2019/04/xiaomi-browser-vulnerability.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.andmp.com/2019/04/xiaomi-url-spoofing-w-ssl-vulnerability.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "nvd@nist.gov", "type": "Primary"}]}