DLL Redirection Attacks Affect WiX Installer Framework
CVE-2024-24810

7.8HIGH

Key Information:

Vendor: wixtoolset
Status: issues
Vendor: CVE Published:; 7 February 2024

What is CVE-2024-24810?

The WiX Toolset installer framework is susceptible to DLL redirection attacks due to vulnerabilities present in the .be TEMP folder. This allows attackers to exploit unpatched installers built with WiX, potentially leading to unauthorized privilege escalation during the installation process. Users of the WiX Toolset should upgrade to version 4.0.4 or later to mitigate this security risk and ensure their installers remain secure against exploitation.

Affected Version(s)

issues <= 4.0.3

References

https://github.com/wixtoolset/issues/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 7, 2024
Vulnerability Reserved
Jan 31, 2024