关键漏洞信息 Vulnerability Type: Arbitrary File Overwrite Affected Product: coto: Tarot, Astro & Healing (world.eve.coto) Vendor: COMMUNITY PLATFORM PTE. LTD Version: V11.4.0 Link: https://play.google.com/store/apps/details?id=world.eve.coto Vulnerability Description: An arbitrary file overwrite vulnerability in the coto: Tarot, Astro & Healing app allows attackers to overwrite critical internal files via the file import process, potentially enabling code execution, exposure of sensitive information, denial of service, and other severe security impacts. Vulnerability Component: com.eveworld.coto.view.MainActivity Additional Information: The vulnerability is caused by insufficient security validation when handling imported files. A malicious app can control the filename and content and use path traversal to overwrite sensitive files in the app's internal storage. When critical configuration or executable files are modified, the app may malfunction, fail to launch, or execute arbitrary code. The attack requires no complex user interaction and can be triggered automatically once the victim opens the malicious app. Proof of Concept (PoC) Before Overwrite: contains normal content. After Overwrite: contains the malicious content: .