An arbitrary file overwrite vulnerability in MaruNuri LLC v2.0.23 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
The vulnerability classified as CWE-73 (External Control of File Name or Path) consists of the lack of proper validation of file names or paths during the import process. An attacker can provide a specially crafted file whose name or path points to critical internal application files. As a result, the import mechanism overwrites these files with attacker-controlled content, which can result in arbitrary code execution or disclosure of sensitive data.
An attacker can cause arbitrary code execution (RCE) in the context of the application or disclose sensitive information processed by the application. High impact on the confidentiality, integrity, and availability of the system.
Patches available from the manufacturer should be applied according to the references. It is recommended to monitor the availability of updates on the manufacturer's website (maru.xyz) and in the Google Play Store. Until a fix is available, consider restricting the ability to import files from untrusted users.
Maru Neo application (neo.maru) by MaruNuri LLC version v2.0.23
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMaru Neo.maru
APPMaru2.0.23