CVE-2018-9587

HIGH Year: 2018
CVSS v3 Score
7.3
High
CVSS v2 Score
4.4
Medium
Weakness Type
CWE-552
View all →

Vulnerability Description

In savePhotoFromUriToUri of ContactPhotoUtils.java in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is possible unauthorized access to files within the contact app due to a confused deputy scenario. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Android ID: A-113597344.

Related Vulnerabilities

CVE-2025-0509

HIGH
CVSS:7.3(High)

A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.

CWE-5522025

CVE-2025-4134

HIGH
CVSS:7.3(High)

Lack of file validation in do_update_vps in Avast Business Antivirus for Linux 4.5 on Linux allows local user to spoof or tamper with the update file via an unverified file write.

CWE-5522025

CVE-2020-12470

HIGH
CVSS:7.2(High)

MonoX through 5.1.40.5152 allows administrators to execute arbitrary code by modifying an ASPX template.

CWE-5522020

CVE-2022-29446

HIGH
CVSS:7.2(High)

Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Counter Box plugin <= 1.1.1 at WordPress.

CWE-5522022

CVE-2022-29447

HIGH
CVSS:7.2(High)

Authenticated (administrator or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Hover Effects plugin <= 2.1 at WordPress.

CWE-5522022

CVE-2023-1124

HIGH
CVSS:7.2(High)

The Shopping Cart & eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks.

CWE-5522023