CVE-2018-15490

Name of the Vulnerable Software and Affected Versions ExpressVPN (affected versions not specified)

Description An issue was discovered in ExpressVPN on Windows, where the Xvpnd.exe process listens on TCP port 2015, using a JSON-RPC protocol over HTTP for communication with the client side of the application. The JSON-RPC XVPN.GetPreference and XVPN.SetPreference methods are vulnerable to path traversal, allowing reading and writing files on the file system on behalf of the service.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.