Skip to main content

Desktop CVE-2023-28122

HIGH
Improper Privilege Management (CWE-269)
2023-04-19 support@hackerone.com
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Apr 19, 2023 - 20:15 nvd
HIGH 7.8

DescriptionNVD

A local privilege escalation (LPE) vulnerability in UI Desktop for Windows (Version 0.59.1.71 and earlier) allows a malicious actor with local access to a Windows device running said application to submit arbitrary commands as SYSTEM.This vulnerability is fixed in Version 0.62.3 and later.

AnalysisAI

A local privilege escalation (LPE) vulnerability in UI Desktop for Windows (Version 0.59.1.71 and earlier) allows a malicious actor with local access to a Windows device running said application to. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Improper Privilege Management (CWE-269), which allows attackers to escalate privileges to gain unauthorized elevated access. A local privilege escalation (LPE) vulnerability in UI Desktop for Windows (Version 0.59.1.71 and earlier) allows a malicious actor with local access to a Windows device running said application to submit arbitrary commands as SYSTEM.This vulnerability is fixed in Version 0.62.3 and later. Affected products include: Ui Desktop. Version information: Version 0.59.1.71.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply principle of least privilege, validate privilege transitions, implement proper role separation.

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

CVE-2023-1802 HIGH POC
7.5 Apr 06

In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the H

CVE-2020-8227 MEDIUM POC
6.8 Aug 21

Missing sanitization of a server response in Nextcloud Desktop Client 2.6.4 for Linux allowed a malicious Nextcloud Serv

CVE-2020-8140 MEDIUM POC
6.7 Mar 20

A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client wit

CVE-2020-10665 MEDIUM POC
6.7 Mar 18

Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTEM because it mishandles the collection of diagnost

CVE-2023-28997 MEDIUM POC
6.5 Apr 04

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Rated medium severity (CVSS 6.5), thi

CVE-2021-32728 MEDIUM POC
6.5 Aug 18

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Rated medium severity

CVE-2023-28999 MEDIUM POC
6.4 Apr 04

Nextcloud is an open-source productivity platform. Rated medium severity (CVSS 6.4), this vulnerability is remotely expl

CVE-2023-28998 MEDIUM POC
6.1 Apr 04

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Rated medium severity (CVSS 6.1), thi

CVE-2022-39333 MEDIUM POC
6.1 Nov 25

Nexcloud desktop is the Desktop sync client for Nextcloud. Rated medium severity (CVSS 6.1), this vulnerability is remot

CVE-2021-22895 MEDIUM POC
5.9 Jun 11

Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate ve

Share

CVE-2023-28122 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy