CVE-2023-41387

Published: Sep 19, 2023

Modified: Sep 25, 2024

PUBLISHED

Description

A SQL injection in the flutter_downloader component through 1.11.1 for iOS allows remote attackers to steal session tokens and overwrite arbitrary files inside the app's container. The internal database of the framework is exposed to the local user if an app uses UIFileSharingEnabled and LSSupportsOpeningDocumentsInPlace properties. As a result, local users can obtain the same attack primitives as remote attackers by tampering with the internal database of the framework on the device.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://pub.dev/packages/flutter_downloader/changelog

https://seredynski.com/articles/exploiting-ios-apps-to-extract-session-tokens-and-overwrite-user-data

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-41387

Description

Affected Products

References