Multiple security vulnerabilities have been disclosed in various applications and system components within Xiaomi devices running Android.

"The vulnerabilities in Xiaomi led to access to arbitrary activities, receivers and services with system privileges, theft of arbitrary files with system privileges, [and] disclosure of phone, settings and Xiaomi account data," mobile security firm Oversecured said in a report shared with The Hacker News.

The 20 shortcomings impact different apps and components like -

• Gallery (com.miui.gallery)
• GetApps (com.xiaomi.mipicks)
• Mi Video (com.miui.videoplayer)
• MIUI Bluetooth (com.xiaomi.bluetooth)
• Phone Services (com.android.phone)
• Print Spooler (com.android.printspooler)
• Security (com.miui.securitycenter)
• Security Core Component (com.miui.securitycore)
• Settings (com.android.settings)
• ShareMe (com.xiaomi.midrop)
• System Tracing (com.android.traceur), and
• Xiaomi Cloud (com.miui.cloudservice)

Some of the notable flaws include a shell command injection bug impacting the System Tracing app and flaws in the Settings app that could enable theft of arbitrary files as well as leak information about Bluetooth devices, connected Wi-Fi networks, and emergency contacts.

It's worth noting that while Phone Services, Print Spooler, Settings, and System Tracing are legitimate components from the Android Open Source Project (AOSP), they have been modified by the Chinese handset maker to incorporate additional functionality, leading to these flaws.