Unsafe Implicit Linking in Nullsoft Scriptable Install System by Nullsoft
CVE-2015-9268

7.8HIGH

Key Information:

Vendor

Nullsoft

Status
Nullsoft Scriptable Install System
Vendor
CVE Published:
1 October 2018

What is CVE-2015-9268?

The Nullsoft Scriptable Install System (NSIS) prior to version 2.49 is vulnerable due to unsafe implicit linking against Version.dll, leading to potential exploitation during runtime. This flaw occurs because there is no protective wrapper function that appropriately resolves the dependency at the correct time, which could allow a malicious actor to manipulate software installation processes.

References

https://lists.debian.org/debian-lts-announce/2018/11/msg0...
mailing-listx_refsource_MLIST
https://sourceforge.net/p/nsis/bugs/1125/
x_refsource_MISC
http://jvn.jp/en/jp/JVN68418039/index.html
third-party-advisoryx_refsource_JVN

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.