CVE-2024-12993 | THREATINT

Description

Infinix devices contain a pre-loaded "com.rlk.weathers" application, that exposes an unsecured content provider. An attacker can communicate with the provider and reveal the user’s location without any privileges. After multiple attempts to contact the vendor we did not receive any answer. We suppose this issue affects all Infinix Mobile devices.

PUBLISHED Reserved 2024-12-27 | Published 2024-12-30 | Updated 2024-12-30 | Assigner CERT-PL

MEDIUM: 4.8CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere

Product status

Default status

unknown

7.0.0.037

affected

Credits

Szymon Chadam finder

References

cert.pl/en/posts/2024/12/CVE-2024-12993/ third-party-advisory

cert.pl/posts/2024/12/CVE-2024-12993/ third-party-advisory

cve.org (CVE-2024-12993)

nvd.nist.gov (CVE-2024-12993)

Download JSON