CVE-2020-5764

Name of the Vulnerable Software and Affected Versions MX Player Android App versions prior to v1.24.5

Description The issue allows an attacker to exploit a directory traversal vulnerability when the user is using the MX Transfer feature in "Receive" mode. This can be achieved by sending a MessageType of "FILE LIST" with a name field containing directory traversal characters (../), resulting in files being saved outside of the intended "/sdcard/MXshare" directory. In some cases, an attacker can achieve remote code execution by writing ".odex" and ".vdex" files in the "oat" directory of the MX Player application.

Recommendations For MX Player Android App versions prior to v1.24.5, update to version v1.24.5 or later to resolve the issue. As a temporary workaround, consider disabling the MX Transfer feature in "Receive" mode until a patch is available. Restrict access to the MX Transfer session to minimize the risk of exploitation. Avoid using the name field in the FILE LIST MessageType until the issue is resolved.