Philips SmartControl DLL Hijacking
CVE-2020-7360

7.4HIGH

Key Information:

Vendor: Philips
Status: Smartcontrol
Vendor: CVE Published:; 13 August 2020

Summary

An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was released after April 15, 2020. (Note, the version numbering system changed significantly between version 4.3.15 and version 1.0.7.)

Affected Version(s)

SmartControl 4.3.15

SmartControl 1.0.7

References

https://blog.vonahi.io/when-the-path-to-system-is-wide-open/

x_refsource_MISC

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Aug 13, 2020
Vulnerability Reserved
Jan 21, 2020

Credit

This issue was discovered and reported by Erik Wynter of Vonahi Security.