CVE-2019-13321

Name of the Vulnerable Software and Affected Versions Xiaomi Browser versions prior to 10.4.0

Description This issue allows network adjacent attackers to execute arbitrary code on affected installations. User interaction is required, where the target must connect to a malicious access point. The flaw exists within the handling of HTTP responses to the Captive Portal. A crafted HTML response can cause the Captive Portal to open a browser to a specified location without user interaction. An attacker can leverage this in conjunction with other issues to execute code in the context of the current process.

Recommendations For versions prior to 10.4.0, update to version 10.4.0 or later to resolve the issue. As a temporary workaround, consider restricting access to untrusted networks and avoiding connections to unknown access points until the update is applied.