Filtered by vendor Mi
Subscribe
Total
85 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-10262 | 1 Mi | 2 Xiaomi Xiaoai Speaker Pro Lx06, Xiaomi Xiaoai Speaker Pro Lx06 Firmware | 2021-07-21 | 7.2 HIGH | 6.8 MEDIUM |
| An issue was discovered on XIAOMI XIAOAI speaker Pro LX06 1.58.10. Attackers can activate the failsafe mode during the boot process, and use the mi_console command cascaded by the SN code shown on the product to get the root shell password, and then the attacker can (i) read Wi-Fi SSID or password, (ii) read the dialogue text files between users and XIAOMI XIAOAI speaker Pro LX06, (iii) use Text-To-Speech tools pretend XIAOMI speakers' voice achieve social engineering attacks, (iv) eavesdrop on users and record what XIAOMI XIAOAI speaker Pro LX06 hears, (v) modify system files, (vi) use commands to send any IR code through IR emitter on XIAOMI XIAOAI Speaker Pro (LX06), (vii) stop voice assistant service, (viii) enable the XIAOMI XIAOAI Speaker Pro’s SSH or TELNET service as a backdoor, (IX) tamper with the router configuration of the router in the local area networks. | |||||
| CVE-2020-10263 | 1 Mi | 2 Xiaomi Xiaoai Speaker Pro Lx06, Xiaomi Xiaoai Speaker Pro Lx06 Firmware | 2021-07-21 | 7.2 HIGH | 6.8 MEDIUM |
| An issue was discovered on XIAOMI XIAOAI speaker Pro LX06 1.52.4. Attackers can get root shell by accessing the UART interface and then they can (i) read Wi-Fi SSID or password, (ii) read the dialogue text files between users and XIAOMI XIAOAI speaker Pro LX06, (iii) use Text-To-Speech tools pretend XIAOMI speakers' voice achieve social engineering attacks, (iv) eavesdrop on users and record what XIAOMI XIAOAI speaker Pro LX06 hears, (v) modify system files, (vi) use commands to send any IR code through IR emitter on XIAOMI XIAOAI Speaker Pro LX06, (vii) stop voice assistant service, (viii) enable the XIAOMI XIAOAI Speaker Pro’ SSH or TELNET service as a backdoor, (IX) tamper with the router configuration of the router in the local area networks. | |||||
| CVE-2020-10561 | 1 Mi | 2 Mijia Inkjet Printer, Mijia Inkjet Printer Firmware | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Xiaomi Mi Jia ink-jet printer < 3.4.6_0138. Injecting parameters to ippserver through the web management background, resulting in command execution vulnerabilities. | |||||
| CVE-2020-14105 | 1 Mi | 2 Mi 10, Miui | 2021-04-23 | 2.1 LOW | 5.5 MEDIUM |
| The application in the mobile phone can read the SNO information of the device, Xiaomi 10 MIUI < 2020.01.15. | |||||
| CVE-2020-14104 | 1 Mi | 2 Ax3600, Ax3600 Firmware | 2021-04-15 | 6.8 MEDIUM | 8.1 HIGH |
| A RACE CONDITION on XQBACKUP causes a decompression path error on Xiaomi router AX3600 with ROM version =1.0.50. | |||||
| CVE-2020-14103 | 1 Mi | 2 Mi 10, Miui | 2021-04-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| The application in the mobile phone can read the SNO information of the device, Xiaomi 10 MIUI < 2020.01.15. | |||||
| CVE-2020-14106 | 1 Mi | 1 Miui | 2021-04-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| The application in the mobile phone can unauthorized access to the list of running processes in the mobile phone, Xiaomi Mobile Phone MIUI < 2021.01.26. | |||||
| CVE-2020-14099 | 1 Mi | 4 Ax1800, Ax1800 Firmware, Rm1800 and 1 more | 2021-04-14 | 5.0 MEDIUM | 7.5 HIGH |
| On Xiaomi router AX1800 rom version < 1.0.336 and RM1800 root version < 1.0.26, the encryption scheme for a user's backup files uses hard-coded keys, which can expose sensitive information such as a user's password. | |||||
| CVE-2020-14098 | 1 Mi | 4 Ax1800, Ax1800 Firmware, Rm1800 and 1 more | 2021-01-19 | 5.0 MEDIUM | 7.5 HIGH |
| The login verification can be bypassed by using the problem that the time is not synchronized after the router restarts. This affects Xiaomi router AX1800rom version < 1.0.336 and Xiaomi route RM1800 root version < 1.0.26. | |||||
| CVE-2020-14097 | 1 Mi | 2 Redmi Ax6, Redmi Ax6 Firmware | 2021-01-19 | 5.0 MEDIUM | 7.5 HIGH |
| Wrong nginx configuration, causing specific paths to be downloaded without authorization. This affects Xiaomi router AX6 ROM version < 1.0.18. | |||||
| CVE-2020-14101 | 1 Mi | 4 Ax1800, Ax1800 Firmware, Rm1800 and 1 more | 2021-01-19 | 5.0 MEDIUM | 7.5 HIGH |
| The data collection SDK of the router web management interface caused the leakage of the token. This affects Xiaomi router AX1800rom version < 1.0.336 and Xiaomi route RM1800 root version < 1.0.26. | |||||
| CVE-2020-14102 | 1 Mi | 4 Ax1800, Ax1800 Firmware, Rm1800 and 1 more | 2021-01-19 | 9.0 HIGH | 7.2 HIGH |
| There is command injection when ddns processes the hostname, which causes the administrator user to obtain the root privilege of the router. This affects Xiaomi router AX1800rom version < 1.0.336 and Xiaomi route RM1800 root version < 1.0.26. | |||||
| CVE-2020-14096 | 1 Mi | 2 Xiaomi Ai Speaker, Xiaomi Ai Speaker Firmware | 2020-09-17 | 7.5 HIGH | 9.8 CRITICAL |
| Memory overflow in Xiaomi AI speaker Rom version <1.59.6 can happen when the speaker verifying a malicious firmware during OTA process. | |||||
| CVE-2018-6065 | 4 Debian, Google, Mi and 1 more | 6 Debian Linux, Chrome, Mi6 Browser and 3 more | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| Integer overflow in computing the required allocation size when instantiating a new javascript object in V8 in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2019-15469 | 1 Mi | 2 Pad 4, Pad 4 Firmware | 2020-08-24 | 2.1 LOW | 5.5 MEDIUM |
| The Xiaomi Mi Pad 4 Android device with a build fingerprint of Xiaomi/clover/clover:8.1.0/OPM1.171019.019/V9.6.26.0.ODJCNFD:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that export their capabilities to other pre-installed app. This app allows a third-party app to use its open interface to record telephone calls to external storage. | |||||
| CVE-2018-18698 | 1 Mi | 2 Xiaomi Mi-a1, Xiaomi Mi-a1 Firmware | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered on Xiaomi Mi A1 tissot_sprout:8.1.0/OPM1.171019.026/V9.6.4.0.ODHMIFE devices. They store cleartext Wi-Fi passwords in logcat during the process of setting up the phone as a hotspot. | |||||
| CVE-2019-12500 | 1 Mi | 2 M365, M365 Firmware | 2020-08-24 | 3.3 LOW | 6.5 MEDIUM |
| The Xiaomi M365 scooter 2019-02-12 before 1.5.1 allows spoofing of "suddenly accelerate" commands. This occurs because Bluetooth Low Energy commands have no server-side authentication check. Other affected commands include suddenly braking, locking, and unlocking. | |||||
| CVE-2019-15471 | 1 Mi | 2 Mix 2s, Mix 2s Firmware | 2020-08-24 | 2.1 LOW | 5.5 MEDIUM |
| The Xiaomi Mi Mix 2S Android device with a build fingerprint of Xiaomi/polaris/polaris:8.0.0/OPR1.170623.032/V9.5.19.0.ODGMIFA:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that export their capabilities to other pre-installed app. This app allows a third-party app to use its open interface to record telephone calls to external storage. | |||||
| CVE-2019-15470 | 1 Mi | 2 Redmi Note 6 Pro, Redmi Note 6 Pro Firmware | 2020-08-24 | 2.1 LOW | 5.5 MEDIUM |
| The Xiaomi Redmi Note 6 Pro Android device with a build fingerprint of xiaomi/tulip/tulip:8.1.0/OPM1.171019.011/V10.2.2.0.OEKMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that export their capabilities to other pre-installed app. This app allows a third-party app to use its open interface to record telephone calls to external storage. | |||||
| CVE-2020-11960 | 1 Mi | 2 Xiaomi R3600, Xiaomi R3600 Firmware | 2020-06-30 | 7.5 HIGH | 9.8 CRITICAL |
| Xiaomi router R3600 ROM before 1.0.50 is affected by a vulnerability when checking backup file in c_upload interface let attacker able to extract malicious file under any location in /tmp, lead to possible RCE and DoS | |||||