Encrypted Configuration File Vulnerability Affects WINSelect Standard and Enterprise
CVE-2024-36495

7.7HIGH

Key Information:

Vendor

Faronics

Status
Winselect (standard + Enterprise)
Vendor
CVE Published:
24 June 2024

What is CVE-2024-36495?

Faronics WINSelect, both Standard and Enterprise versions, has a vulnerability where its configuration settings are saved in an encrypted file located at C:\ProgramData\WINSelect\WINSelect.wsd. This file, however, is accessible with read and write permissions for 'Everyone', potentially allowing unauthorized users to manipulate critical configuration data. Additionally, the Enterprise version stores its configuration file at C:\ProgramData\Faronics\StorageSpace\WS\WINSelect.wsd. Such a security lapse may lead to the exposure of sensitive system configurations and risks unauthorized access.

Affected Version(s)

WINSelect (Standard + Enterprise) 8.30.xx.903

References

https://r.sec-consult.com/winselect
third-party-advisory
https://www.faronics.com/en-uk/document-library/document/...
release-notes
http://seclists.org/fulldisclosure/2024/Jun/12

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Daniel Hirschberger | SEC Consult Vulnerability Lab
.
CVE-2024-36495 : Encrypted Configuration File Vulnerability Affects WINSelect Standard and Enterprise