CVE-2026-30279
Arbitrary File Overwrite in My Location Travel Timeline Allows Code Execution
Publication date: 2026-03-31
Last updated on: 2026-04-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| squareapps | my_location | 11.80 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Squareapps LLC My Location Travel Timeline v11.80 is an arbitrary file overwrite flaw occurring during the file import process. It allows attackers to manipulate the filename and content using path traversal techniques to overwrite critical internal files within the app's storage.
This happens because the app does not properly validate the files being imported, enabling a malicious app to exploit this weakness.
How can this vulnerability impact me? :
Exploiting this vulnerability can lead to several severe impacts including arbitrary code execution, exposure of sensitive information, denial of service, app malfunction, or failure to launch.
The attack requires minimal user interaction and can be triggered automatically when the victim opens the malicious app, increasing the risk of compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an arbitrary file overwrite via the file import process in the My Location Travel Timeline app. Detection would focus on monitoring for suspicious file import activities or unexpected modifications to critical internal files within the app's storage.
Since the vulnerability exploits path traversal during file import, you can check for unusual file paths or filenames being imported by the app.
- Monitor app storage directories for unexpected file changes or overwrites.
- Use file integrity monitoring tools to detect changes in critical files related to the app.
- On Android devices, use commands like `adb shell ls -l /data/data/com.kaisquare.location/` to inspect app files and check for unexpected modifications.
- Check app logs for unusual file import activities or errors related to file handling.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediate steps include preventing the exploitation of the file import process by restricting or monitoring file imports in the affected app.
Since the vulnerability allows arbitrary file overwrite via path traversal, avoid importing files from untrusted sources.
- Update the My Location Travel Timeline app to a patched version once available.
- Restrict app permissions to limit file system access where possible.
- Educate users to avoid opening or importing files from unknown or untrusted sources.
- Monitor the app for suspicious behavior and consider uninstalling it if immediate patching is not possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to overwrite critical internal files, potentially leading to arbitrary code execution or exposure of sensitive information.
Exposure of sensitive data due to this flaw could result in non-compliance with data protection regulations such as GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access or disclosure.
Therefore, exploitation of this vulnerability may compromise the confidentiality and integrity of data, impacting compliance with common standards and regulations that mandate strict data security controls.