CVE-2023-33188 MEDIUM

CVE-2023-33188: Uncontrolled data used in content resolution

Vendor Federicoiosue
Product Omni-Notes
Weakness CWE-441
Published May 27, 2023
Last update January 14, 2025
View on NVD All CVEs

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L

What the vulnerability does

01Description

Omni-notes is an open source note-taking application for Android. The Omni-notes Android app had an insufficient path validation vulnerability when displaying the details of a note received through an externally-provided intent. The paths of the note's attachments were not properly validated, allowing malicious or compromised applications in the same device to force Omni-notes to copy files from its internal storage to its external storage directory, where they would have become accessible to any component with permission to read the external storage. Updating to the newest version (6.2.7) of Omni-notes Android fixes this vulnerability.

Key dates

02Disclosure timeline

May 27, 2023 CVE published
January 14, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-41365 OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Graph API Thread History CVE-2026-6993 go-kratos http.DefaultServeMux Fallback server.go NewServer confused deputy CVE-2025-64123 Nuvation Energy Multi-Stack Controller Proxy service allows arbitrary BMS access CVE-2025-11393 Insights-runtimes-tech-preview/runtimes-inventory-rhel8-operator: improper proxy configuration allows unauthorized administrative commands CVE-2026-42313 pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy