CVE-2020-26894

Опубликовано: 08 окт. 2020

Источник: nvd

CVSS3: 7.8

CVSS2: 4.6

EPSS Низкий

Описание

LiveCode v9.6.1 on Windows allows local, low-privileged users to gain privileges by creating a malicious "cmd.exe" in the folder of the vulnerable LiveCode application. If the application is using LiveCode's "shell()" function, it will attempt to search for "cmd.exe" in the folder of the current application and run the malicious "cmd.exe".

Ссылки

https://github.com/livecode/livecode/pull/7454
Vendor Advisory
https://john-woodman.com/posts/LiveCode-Privilege-Escalation-Vulnerability/
Exploit
Third Party Advisory
https://quality.livecode.com/show_bug.cgi?id=22942
Third Party Advisory
https://github.com/livecode/livecode/pull/7454
Vendor Advisory
https://john-woodman.com/posts/LiveCode-Privilege-Escalation-Vulnerability/
Exploit
Third Party Advisory
https://quality.livecode.com/show_bug.cgi?id=22942
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:faulknermedia:wildlife_issues_in_the_new_millennium:18.0.160:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

EPSS

Процентиль: 18%

0.00059

Низкий

7.8 High

CVSS3

4.6 Medium

CVSS2

Дефекты

CWE-427

Связанные уязвимости

GHSA-vrmr-fjxh-fm4g

github

больше 3 лет назад

Faulkner Wildlife Issues in the New Millennium 18.0.160 on Windows allows local, low-privileged users to gain privileges by creating a malicious "%SYSTEMDRIVE%\Course Software Material 18.0.1.9\cmd.exe" file.