CVE-2024-10668

Name of the Vulnerable Software and Affected Versions Google Quickshare versions prior to v1.0.2002.2

Description The issue is related to an authentication bypass in Google Quickshare, allowing an attacker to upload an unknown file type to a victim. This occurs because when a Payload Transfer frame of type FILE is sent to Quick Share, the file is written to disk in the Downloads folder. Normally, Quickshare deletes unknown files, but an attacker can exploit this by sending two Payload transfer frames of type FILE with the same payload ID, resulting in the deletion logic only deleting the first file and not the second.

Recommendations For Google Quickshare versions prior to v1.0.2002.2, upgrade past commit 5d8b9156e0c339d82d3dab0849187e8819ad92c0 or update to Quick Share Windows v1.0.2002.2 to resolve the issue. As a temporary workaround, consider restricting access to the Payload Transfer frame of type FILE to minimize the risk of exploitation.