Headline
CVE-2022-47757: Arbitrary Code Execution via file download
In imo.im 2022.11.1051, a path traversal vulnerability delivered via an unsanitized deeplink can force the application to write a file into the application’s data directory. This may allow an attacker to save a shared library under a special directory which the app uses to dynamically load modules. Loading the library can lead to arbitrary code execution.
Package
com.imo.android.imoim (Android)
Affected versions
< 2022.11.2011
Patched versions
2022.11.2011
Description
Impact
A path traversal vulnerability delivered using a deeplink can force the com.imo.android.imoim Android Application up to version 2022.11.1051 to write files into its data directory. This may allow an attacker to write a library file under a special directory that the app uses to dynamically load modules. Loading the library can finally lead to arbitrary code execution with the application’s privileges.
Patches
The issue was patched in version: 2022.11.2011