CVE-2019-13382

Name of the Vulnerable Software and Affected Versions SnagIT versions 12.4.1 through 2019.1.2 TechSmith Relay Classic Recorder versions prior to 5.2.1

Description The issue allows for elevation of privilege by placing an invalid presentation file in a specific directory and then creating a symbolic link that points to an arbitrary folder with an arbitrary file name. This can be achieved by exploiting the UploaderService in SnagIT. The vulnerability was introduced in SnagIT Windows version 12.4.1.

Recommendations For SnagIT versions 12.4.1 through 2019.1.2, update to a version later than 2019.1.2 to resolve the issue. For TechSmith Relay Classic Recorder versions prior to 5.2.1, update to version 5.2.1 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the %PROGRAMDATA%TechSmithTechSmith RecorderQueuedPresentations and %PROGRAMDATA%TechsmithTechSmith RecorderInvalidPresentations directories to minimize the risk of exploitation.