Vulnerability Allows Escape from Environment via PDF Files
CVE-2024-3459

8.4HIGH

Key Information:

Vendor
Kioware
Status
Kioware
Vendor
CVE Published:
14 May 2024

Summary

A vulnerability in KioWare for Windows allows for an escape from the secure environment through the handling of PDF files. This flaw is present in all versions up to 8.34, where downloaded PDF files are launched in an external viewer. The external viewer has built-in capabilities that permit users to initiate a web browser, access local files, and potentially execute any program with the same user privileges as the current session. This issue underscores significant security implications for users and requires immediate attention to mitigate associated risks.

Affected Version(s)

Kioware Windows 0 <= 8.34

References

https://cert.pl/posts/2024/04/CVE-2024-3459
third-party-advisory
https://cert.pl/en/posts/2024/04/CVE-2024-3459
third-party-advisory
https://www.kioware.com/
product

CVSS V3.1

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

Maksymilian Kubiak [Afine Team]
.