Uncontrolled Search Path Element Remote Code Execution Vulnerability
CVE-2023-44439

7.8HIGH

Key Information:

Vendor: Ashlar-vellum
Status: Xenon
Vendor: CVE Published:; 3 May 2024

Summary

The vulnerability arises from the improper handling of various file types by Ashlar-Vellum Xenon, which allows the software to load libraries from unsecured locations. This flaw presents a significant risk, as it enables remote attackers to execute arbitrary code within the current process context. Exploitation of this vulnerability necessitates user interaction, requiring the target to either access a malicious webpage or open a compromised file. This issue underscores the importance of securing library paths and addressing vulnerabilities that necessitate user input for successful exploitation.

Affected Version(s)

Xenon Xenon v12 Beta Build 1204.68

References

https://www.zerodayinitiative.com/advisories/ZDI-23-1597/

x_research-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 3, 2024
Vulnerability Reserved
Sep 28, 2023