CVE-2023-41387

CVSS 3.1 Score 9.1 of 10 (high)

Details

Published Sep 19, 2023
Updated: Sep 22, 2023
CWE ID 89

Summary

CVE-2023-41387 is a critical SQL injection vulnerability in the flutter_downloader component through version 1.11.1 for iOS. This vulnerability allows remote attackers to steal session tokens and overwrite arbitrary files within the app's container. The vulnerability is present when an app uses UIFileSharingEnabled and LSSupportsOpeningDocumentsInPlace properties, which expose the internal database of the framework to local users. This means that local users can tamper with the framework's internal database on the device and gain similar attack capabilities as remote attackers. The vulnerability affects multiple products, as listed in the affected_products field. To remediate this vulnerability, it is recommended to update to a fixed version of the flutter_downloader component. The potential danger posed by this vulnerability is high, as it can lead to unauthorized access, data theft, and manipulation of sensitive information within affected apps.

Share

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2023-41387 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options