Access Control Issues in Nullsoft Scriptable Install System
CVE-2023-37378

5.3MEDIUM

Key Information:

Vendor: Nullsoft
Status: Nullsoft Scriptable Install System
Vendor: CVE Published:; 3 July 2023

What is CVE-2023-37378?

The Nullsoft Scriptable Install System (NSIS) prior to version 3.09 contains a vulnerability that improperly handles access control for an uninstaller directory. This misconfiguration may allow unauthorized users to gain access to sensitive files and exploit them, leading to potential data exposure and security breaches. It is imperative for users of impacted NSIS versions to upgrade to mitigate these risks and enhance their software's security.

References

http://sf.net/p/nsis/bugs/1296

https://nsis.sourceforge.io/Docs/AppendixF.html#v3.09

https://sourceforge.net/p/nsis/news/2023/07/nsis-309-rele...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 3, 2023
Vulnerability Reserved
Jul 3, 2023