CVE-2023-26321 - Vulnerability Details - OpenCVE

A path traversal vulnerability exists in the Xiaomi File Manager application product(international version). The vulnerability is caused by unfiltered special characters and can be exploited by attackers to overwrite and execute code in the file.

No CVSS v4.0

Attack Vector Physical

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Mi	File Manager

Configuration 1 [-]

cpe:2.3:a:mi:file_manager:1-210567:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://trust.mi.com/misrc/bulletins/advisory?cveId=541

History

Thu, 12 Sep 2024 16:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-22
CPEs		cpe:2.3:a:mi:file_manager:1-210567:::::::*

Wed, 28 Aug 2024 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mi Mi file Manager
CPEs		cpe:2.3:a:mi:file_manager::::::::
Vendors & Products		Mi Mi file Manager
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 28 Aug 2024 08:00:00 +0000

Type	Values Removed	Values Added
Description		A path traversal vulnerability exists in the Xiaomi File Manager application product(international version). The vulnerability is caused by unfiltered special characters and can be exploited by attackers to overwrite and execute code in the file.
Title		The international version of Xiaomi File Manager has a path traversal vulnerability
References		https://trust.mi.com/misrc/bulletins/advisory?cveId=541
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: Xiaomi

Published: 2024-08-28T07:51:28.809Z

Updated: 2025-03-25T15:57:26.688Z

Reserved: 2023-02-22T16:59:28.183Z

Link: CVE-2023-26321

Vulnrichment

Updated: 2024-08-28T13:56:20.792Z

NVD

Status : Modified

Published: 2024-08-28T08:15:06.083

Modified: 2025-03-25T16:15:16.857

Link: CVE-2023-26321

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-26321", "assignerOrgId": "b57733aa-7326-4f07-8e09-0be8e0df1909", "state": "PUBLISHED", "assignerShortName": "Xiaomi", "dateReserved": "2023-02-22T16:59:28.183Z", "datePublished": "2024-08-28T07:51:28.809Z", "dateUpdated": "2025-03-25T15:57:26.688Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Xiaomi File Manager App International Version", "vendor": "Xiaomi", "versions": [{"changes": [{"at": "V1-210586", "status": "unaffected"}], "lessThanOrEqual": "V1-210567", "status": "affected", "version": "Xiaomi File Manager App International Version", "versionType": "custom"}]}], "datePublic": "2024-02-08T07:41:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(245, 247, 249);\">A path traversal vulnerability exists in the Xiaomi File Manager application product(international version). The vulnerability is caused by unfiltered special characters and can be exploited by attackers to overwrite and execute code in the file.</span><br>"}], "value": "A path traversal vulnerability exists in the Xiaomi File Manager application product(international version). The vulnerability is caused by unfiltered special characters and can be exploited by attackers to overwrite and execute code in the file."}], "impacts": [{"descriptions": [{"lang": "en", "value": "Xiaomi File Manager App International Version V1-210567"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"description": "A path traversal vulnerability exists", "lang": "en"}]}], "providerMetadata": {"orgId": "b57733aa-7326-4f07-8e09-0be8e0df1909", "shortName": "Xiaomi", "dateUpdated": "2024-08-28T07:51:28.809Z"}, "references": [{"url": "https://trust.mi.com/misrc/bulletins/advisory?cveId=541"}], "source": {"discovery": "EXTERNAL"}, "title": "The international version of Xiaomi File Manager has a path traversal vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "affected": [{"vendor": "mi", "product": "file_manager", "cpes": ["cpe:2.3:a:mi:file_manager:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "v1-210586", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-28T13:39:58.176575Z", "id": "CVE-2023-26321", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-25T15:57:26.688Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-26321", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-28T13:39:58.176575Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mi:file_manager:*:*:*:*:*:*:*:*"], "vendor": "mi", "product": "file_manager", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "v1-210586"}], "defaultStatus": "affected"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T13:56:20.792Z"}}], "cna": {"title": "The international version of Xiaomi File Manager has a path traversal vulnerability", "source": {"discovery": "EXTERNAL"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Xiaomi File Manager App International Version V1-210567"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Xiaomi", "product": "Xiaomi File Manager App International Version", "versions": [{"status": "affected", "changes": [{"at": "V1-210586", "status": "unaffected"}], "version": "Xiaomi File Manager App International Version", "versionType": "custom", "lessThanOrEqual": "V1-210567"}], "defaultStatus": "affected"}], "datePublic": "2024-02-08T07:41:00.000Z", "references": [{"url": "https://trust.mi.com/misrc/bulletins/advisory?cveId=541"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in the Xiaomi File Manager application product(international version). The vulnerability is caused by unfiltered special characters and can be exploited by attackers to overwrite and execute code in the file.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(245, 247, 249);\">A path traversal vulnerability exists in the Xiaomi File Manager application product(international version). The vulnerability is caused by unfiltered special characters and can be exploited by attackers to overwrite and execute code in the file.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "A path traversal vulnerability exists"}]}], "providerMetadata": {"orgId": "b57733aa-7326-4f07-8e09-0be8e0df1909", "shortName": "Xiaomi", "dateUpdated": "2024-08-28T07:51:28.809Z"}}}, "cveMetadata": {"cveId": "CVE-2023-26321", "state": "PUBLISHED", "dateUpdated": "2025-03-25T15:57:26.688Z", "dateReserved": "2023-02-22T16:59:28.183Z", "assignerOrgId": "b57733aa-7326-4f07-8e09-0be8e0df1909", "datePublished": "2024-08-28T07:51:28.809Z", "assignerShortName": "Xiaomi"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mi:file_manager:1-210567:*:*:*:*:*:*:*", "matchCriteriaId": "8010BDED-A28F-468D-A92C-3D2FAF09D29A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in the Xiaomi File Manager application product(international version). The vulnerability is caused by unfiltered special characters and can be exploited by attackers to overwrite and execute code in the file."}, {"lang": "es", "value": "Existe una vulnerabilidad de path traversal en el producto de la aplicaci\u00f3n Xiaomi File Manager (versi\u00f3n internacional). La vulnerabilidad es causada por caracteres especiales sin filtrar y los atacantes pueden aprovecharla para sobrescribir y ejecutar c\u00f3digo en el archivo."}], "id": "CVE-2023-26321", "lastModified": "2025-03-25T16:15:16.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.4, "impactScore": 5.9, "source": "security@xiaomi.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-08-28T08:15:06.083", "references": [{"source": "security@xiaomi.com", "tags": ["Vendor Advisory"], "url": "https://trust.mi.com/misrc/bulletins/advisory?cveId=541"}], "sourceIdentifier": "security@xiaomi.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}