CVE-2024-13185

High

Published: 08 January 2025

Published

08 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0011 29.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage.

Security Summary

CVE-2024-13185 is a vulnerability in the MinigameCenter module stemming from insufficient restrictions on loading URLs, which can result in information leakage. This issue is classified under CWE-306 (Missing Authentication for Critical Function) and affects vivo products, as indicated by the vendor's security advisory. The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high confidentiality impact with network accessibility and no requirements for privileges or user interaction.

A remote, unauthenticated attacker can exploit this flaw over the network with low complexity. By leveraging the inadequate URL loading controls in the MinigameCenter module, the attacker can access sensitive information without impacting integrity or availability, potentially exposing user data or system details.

vivo has published a security advisory detailing the issue at https://www.vivo.com/en/support/security-advisory-detail?id=15, which security practitioners should consult for mitigation guidance, patches, or workarounds.

Details

CWE(s): CWE-306

References

https://www.vivo.com/en/support/security-advisory-detail?id=15
security@vivo.com