CVE-2024-12903

Name of the Vulnerable Software and Affected Versions Evoko Home versions 2.4.2 through 2.7.4

Description The issue is related to incorrect default permissions in Evoko Home, allowing a non-admin user to exploit weak file and folder permissions and potentially escalate privileges, execute arbitrary code, and maintain persistence on the compromised machine. The vulnerability is due to full control permissions existing on the 'Everyone' group, which includes any user with local access to the operating system, regardless of their privileges.

Recommendations For Evoko Home versions 2.4.2 through 2.7.4, consider restricting access to sensitive files and folders to minimize the risk of exploitation until a patch is available. As a temporary workaround, review and adjust the permissions of the 'Everyone' group to prevent non-admin users from exploiting the weak permissions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.