Dropbox Desktop Folder Sharing Mark-of-the-Web Bypass Vulnerability
CVE-2024-5924

8.8HIGH

Key Information:

Vendor: Dropbox
Status: Dropbox Desktop
Vendor: CVE Published:; 13 June 2024

What is CVE-2024-5924?

This vulnerability impacts the Dropbox Desktop application, specifically affecting the handling of shared folders. When syncing files from a shared folder linked to an untrusted account, the app fails to correctly apply the Mark-of-the-Web security feature to the downloaded files. As a result, this oversight enables an attacker to execute arbitrary code within the context of the current user, provided they can trick the user into visiting a malicious webpage or downloading a harmful file. It is essential for users to be aware of the risks associated with untrusted accounts and the potential for exploitation through this vulnerability.

Affected Version(s)

Dropbox Desktop 198.4.7615

References

https://www.zerodayinitiative.com/advisories/ZDI-24-677/

x_research-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 13, 2024
Vulnerability Reserved
Jun 12, 2024

JSON