Описание
The update mechanism in Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is insecure. The application downloads and extracts update packages containing executable code without performing a cryptographic integrity or authenticity check on their contents. An attacker who can control the update metadata can serve a malicious package, which the application will accept, extract, and later execute, leading to arbitrary code execution.
Ссылки
- Third Party Advisory
- ExploitThird Party Advisory
Уязвимые конфигурации
EPSS
8.8 High
CVSS3
Дефекты
Связанные уязвимости
The update mechanism in Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is insecure. The application downloads and extracts update packages containing executable code without performing a cryptographic integrity or authenticity check on their contents. An attacker who can control the update metadata can serve a malicious package, which the application will accept, extract, and later execute, leading to arbitrary code execution.
EPSS
8.8 High
CVSS3