PT-2024-8711 · Kingsoft · Kingsoft Wps Office
Romain Dumont
·
Published
2024-05-23
·
Updated
2025-04-28
·
CVE-2024-7263
CVSS v4.0
9.3
Critical
| Vector | AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N |
Name of the Vulnerable Software and Affected Versions
Kingsoft WPS Office versions 12.2.0.13110 through 12.2.0.17119
Description
The issue is related to improper path validation in the promecefpluginhost.exe file, allowing an attacker to load an arbitrary Windows library. This can lead to the execution of arbitrary code. The patch released to mitigate the issue was not restrictive enough, and another parameter was not properly sanitized, leading to the execution of an arbitrary Windows library.
Recommendations
For Kingsoft WPS Office versions 12.2.0.13110 through 12.2.0.17119, update to a version newer than 12.2.0.17119 to resolve the issue. As a temporary workaround, consider restricting access to the promecefpluginhost.exe file to minimize the risk of exploitation.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kingsoft Wps Office