CVE-2023-39520

Name of the Vulnerable Software and Affected Versions Cryptomator version 1.9.2

Description Cryptomator encrypts data being stored on cloud infrastructure. The issue allows local privilege escalation for low privileged users via the repair function. This occurs because the repair function of the MSI installer spawns a SYSTEM Powershell without the -NoProfile parameter, loading the profile of the user starting the repair.

Recommendations For Cryptomator version 1.9.2, update to version 1.9.3 to resolve the issue. As a temporary workaround, consider adding a -NoProfile parameter to the Powershell command to prevent the user's profile from being loaded during the repair process.