PT-2022-17166 · Cybele · Thinfinity Vnc

Oscar Uribe

Published

2022-05-20

Updated

2022-06-01

CVE-2022-25227

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Thinfinity VNC version 4.0.0.1

Description The issue allows an unprivileged remote attacker to obtain an ID that can be used to send websocket requests and achieve remote code execution (RCE) if they can trick a user into browsing a malicious site. This is due to a Cross-Origin Resource Sharing (CORS) vulnerability.

Recommendations For Thinfinity VNC version 4.0.0.1, as a temporary workaround, consider restricting access to the websocket endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-346

Related Identifiers

CVE-2022-25227

Affected Products

Thinfinity Vnc

PT-2022-17166 · Cybele · Thinfinity Vnc

CVE-2022-25227

Weakness Enumeration

Related Identifiers

Affected Products

References · 6