PT-2023-26992 · Unknown · Cryptomator
Pfiatde
·
Published
2023-08-07
·
Updated
2025-04-10
·
CVE-2023-39520
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Cryptomator version 1.9.2
Description
Cryptomator encrypts data being stored on cloud infrastructure. The issue allows local privilege escalation for low privileged users via the
repair function. This occurs because the repair function of the MSI installer spawns a SYSTEM Powershell without the -NoProfile parameter, loading the profile of the user starting the repair.Recommendations
For Cryptomator version 1.9.2, update to version 1.9.3 to resolve the issue.
As a temporary workaround, consider adding a
-NoProfile parameter to the Powershell command to prevent the user's profile from being loaded during the repair process.Exploit
Fix
LPE
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cryptomator