CVE-2018-20523

MEDIUM

Xiaomi Stock Browser 10.2.4.g - Unauthenticated Information Disclosure via Content Provider Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-20523. PoCs published by Vishwaraj Bhattrai.

AI-analyzed exploit summary This exploit demonstrates a content provider injection vulnerability in Xiaomi Browser 10.2.4.g, allowing unauthorized access to the user's browser search history via the `com.android.browser.searchhistory` content provider. The PoC uses `adb` and `drozer` to query the vulnerable provider.

Description

Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones allows content provider injection. In other words, a third-party application can read the user's cleartext browser history via an app.provider.query content://com.android.browser.searchhistory/searchhistory request.

Exploits (1)

exploitdb WORKING POC

by Vishwaraj Bhattrai · textlocalandroid

https://www.exploit-db.com/exploits/50188

View Code ZIP pw:eip

This exploit demonstrates a content provider injection vulnerability in Xiaomi Browser 10.2.4.g, allowing unauthorized access to the user's browser search history via the `com.android.browser.searchhistory` content provider. The PoC uses `adb` and `drozer` to query the vulnerable provider.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Xiaomi Browser 10.2.4.g

No auth needed

Prerequisites: ADB access to the device · Drozer installed · Vulnerable Xiaomi Browser version

MITRE ATT&CK

T1552.001 - Credentials In Files

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Broken Link, Vendor Advisory x_refsource_misc

https://sec.xiaomi.com

Exploit, Third Party Advisory x_refsource_misc

https://vishwarajbhattrai.wordpress.com/2019/03/22/content-provider-injection-in-xiaomi-stock-browser

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/163796/Xiaomi-10.2.4.g-Information-Disclosure.html

Scores

CVSS v3 5.3

EPSS 0.1001

EPSS Percentile 95.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-77

Status published

Products (19)

mi/redmi_4a_firmware

mi/redmi_5_plus_firmware

mi/redmi_6_firmware

mi/redmi_6a_firmware

mi/redmi_7_firmware

mi/redmi_7a_firmware

mi/redmi_go_firmware

mi/redmi_k20_firmware

mi/redmi_k20_pro_firmware

mi/redmi_note_4_firmware

... and 9 more

Published Jun 07, 2019

Tracked Since Feb 18, 2026