Aleapp
Monthly
Path traversal in ALEAPP (Android Logs Events And Protobuf Parser) 3.4.0 and earlier enables arbitrary file writes outside the report directory through malicious NQ_Vault.py artifact parser database entries. Attackers embedding traversal sequences (e.g., ../../../target.bin) in file_name_from database values can overwrite system executables or configuration files, achieving local code execution. Exploitation requires user interaction to process a crafted Android database artifact. CVSS:4.0 base score 8.4 (High). No public exploit identified at time of analysis.
Path traversal in ALEAPP (Android Logs Events And Protobuf Parser) 3.4.0 and earlier enables arbitrary file writes outside the report directory through malicious NQ_Vault.py artifact parser database entries. Attackers embedding traversal sequences (e.g., ../../../target.bin) in file_name_from database values can overwrite system executables or configuration files, achieving local code execution. Exploitation requires user interaction to process a crafted Android database artifact. CVSS:4.0 base score 8.4 (High). No public exploit identified at time of analysis.