PT-2023-15615 · Softperfect · Softperfect Networx
Giulia Melotti Garibaldi
·
Published
2023-01-24
·
Updated
2023-02-06
·
CVE-2022-48199
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
SoftPerfect NetWorx version 7.1.1
Description
The issue allows an attacker to execute a malicious binary with potentially higher privileges via a low-privileged user account. This is achieved by abusing the Notifications function, which permits arbitrary binary execution and can be modified by any user. As a result, the binary execution occurs in the context of any user running the software. If the Notifications function is modified to execute a malicious binary, it will be executed by every user running the software on the system.
Recommendations
For SoftPerfect NetWorx version 7.1.1, consider disabling the Notifications function until a patch is available to prevent arbitrary binary execution. Restrict access to the Notifications function to minimize the risk of exploitation.
Fix
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Softperfect Networx