CVE-2021-33057

HIGH

QQ App 8.7.1 - Info Disclosure

Title source: llm
STIX 2.1

Description

The QQ application 8.7.1 for Android and iOS does not enforce the permission requirements (e.g., android.permission.ACCESS_FINE_LOCATION) for determining the device's physical location. An attacker can use qq.createMapContext to create a MapContext object, use MapContext.moveToLocation to move the center of the map to the device's location, and use MapContext.getCenterLocation to get the latitude and longitude of the current map center.

References (3)

Core 3
Core References
Vendor Advisory x_refsource_misc
https://tencent.com
Technical Description, Third Party Advisory x_refsource_misc
https://arxiv.org/pdf/2205.15202.pdf

Scores

CVSS v3 7.5
EPSS 0.0103
EPSS Percentile 59.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-862
Status published
Products (1)
tencent/qq 8.7.1 (2 CPE variants)
Published Jul 26, 2022
Tracked Since Feb 18, 2026