Lucene search

[email protected]CVE-2023-33188

HistoryMay 27, 2023 - 4:15 a.m.

CVE-2023-33188

2023-05-2704:15:25

CWE-610

CWE-441

[email protected]

web.nvd.nist.gov

109

omni-notes

android

vulnerability

file access

update

cve-2023-33188

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L

5.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.8%

JSON

Omni-notes is an open source note-taking application for Android. The Omni-notes Android app had an insufficient path validation vulnerability when displaying the details of a note received through an externally-provided intent. The paths of the note’s attachments were not properly validated, allowing malicious or compromised applications in the same device to force Omni-notes to copy files from its internal storage to its external storage directory, where they would have become accessible to any component with permission to read the external storage. Updating to the newest version (6.2.7) of Omni-notes Android fixes this vulnerability.

Affected configurations

Vulners

NVD

Node

federicoiosueomni_notesRange<6.2.7

CPENameOperatorVersion
omninotes:omni_notesomninotes omni notesle6.2.6

CPE	Name	Operator	Version
omninotes:omni_notes	omninotes omni notes	le	6.2.6

CNA Affected

[
  {
    "vendor": "federicoiosue",
    "product": "Omni-Notes",
    "versions": [
      {
        "version": "< 6.2.7",
        "status": "affected"
      }
    ]
  }
]

References

github.com/federicoiosue/Omni-Notes/security/advisories/GHSA-g38r-4cf6-3v32