CVE-2020-1984
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Secdo tries to execute a script at a hardcoded path if present, which allows a local authenticated user with 'create folders or append data' access to the root of the OS disk (C:) to gain system privileges if the path does not already exist or is writable. This issue affects all versions of Secdo for Windows.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Secdo | Secdo | all versions | affected |
Weaknesses
- CWE-73: CWE-73 External Control of File Name or Path
Workarounds
This issue can be mitigated by :
- Ensure unprivileged users do not have 'create folder' access on the root of filesystem such as C:. or
- Creating a folder named C:\Common and ensuring unprivileged users do not have 'create folder' access.
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.