Local Privilege Escalation Vulnerability in Phish Alert Button for Outlook
CVE-2024-29210

2.8LOW

Key Information:

Vendor: Knowbe4
Status: Phish Alert Button (pab) For Outlook; Phish Alert Button (pab) F; Second Chance Client; Passwordiq (piq) Client
Vendor: CVE Published:; 7 May 2024

What is CVE-2024-29210?

A significant vulnerability in KnowBe4's Phish Alert Button for Outlook permits local privilege escalation due to improper permission settings on the application's configuration file. This vulnerability enables regular users to manipulate the file, which governs critical parameters like the update server URL, resulting in potential redirection to malicious servers. Such an action, when combined with other vulnerabilities, can allow an attacker to execute arbitrary code with elevated privileges. The ramifications are severe, including unauthorized access to sensitive information and possible takeover of the affected system. Mitigations include applying recent patches from KnowBe4 and reconfiguring permission settings to restrict access appropriately.

Affected Version(s)

PasswordIQ (PIQ) Client 1.0.16

Phish Alert Button (PAB) f 1.10.0

Phish Alert Button (PAB) for Outlook 1.10.12

References

https://support.knowbe4.com/hc/en-us/articles/28959854203...

CVSS V3.1

Score:

2.8

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2024
Vulnerability Reserved
Mar 19, 2024

Knowbe4

What is CVE-2024-29210?

Affected Version(s)

References

CVSS V3.1

Timeline