QwikSec

Security Database

CVE

CWE

Training

CVE-2020-15261

Published: Oct 19, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

8.0

HIGH

Description

On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administrative privileges, this vulnerability is only dangerous in anyway unsafe setups. The problem has been fixed in version 4.4.2. As a workaround, the exploitation of the vulnerability can be prevented by revoking administrative privileges from all potentially untrustworthy users.

Vendor	Product	Versions
veyon	veyon	affected `< 0.11.5`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/veyon/veyon/security/advisories/GHSA-c8cc-x786-hqqp

x_refsource_CONFIRM

https://github.com/veyon/veyon/issues/657

x_refsource_MISC

https://github.com/veyon/veyon/commit/f231ec511b9a09f43f49b2c7bb7c60b8046276b1

x_refsource_MISC

http://packetstormsecurity.com/files/162873/Veyon-4.4.1-Unquoted-Service-Path.html

x_refsource_MISC

https://www.exploit-db.com/exploits/49925

x_refsource_MISC

https://www.exploit-db.com/exploits/48246

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.