| Titel | uCrop Android Library uCrop 2.2.11 Intent Spoofing |
|---|
| Beschreibung | Hello, this is arrester. On June 10th, I reported the issue to the official uCrop library GitHub via the Security tab and also tagged the person in charge during the process to reach out, but since I still haven’t received any response, I am now reporting it to VulDB.
The Intent Spoofing vulnerability I discovered occurs because there is no input validation for `sourceUri` and `destinationUri` in `UCrop.of(sourceUri, destinationUri)`, which results in unauthorized access to specific file paths on the mobile device and file corruption (creation, overwriting, etc.). |
|---|
| Quelle | ⚠️ https://mesquite-dream-86b.notion.site/uCrop-Library-SSRF-and-Intent-Spoofing-2b8512562197804dae69edf96b942446?source=copy_link |
|---|
| Benutzer | arrester (UID 93048) |
|---|
| Einreichung | 27.11.2025 19:38 (vor 7 Monaten) |
|---|
| Moderieren | 11.12.2025 07:46 (14 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 335855 [Yalantis uCrop 2.2.11 AndroidManifest.xml UCropActivity Local Privilege Escalation] |
|---|
| Punkte | 17 |
|---|