9.3
CVE-2024-7262
- EPSS 15.94%
- Veröffentlicht 15.08.2024 15:15:22
- Zuletzt bearbeitet 30.10.2025 20:12:05
- Quelle security@eset.com
- CVE-Watchlists
- Unerledigt
LoginImproper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.16412 (exclusive) on Windows allows an attacker to load an arbitrary Windows library. The vulnerability was found weaponized as a single-click exploit in the form of a deceptive spreadsheet document
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Kingsoft ≫ Wps Office Version >= 12.2.0.13110 < 12.2.0.16412
03.09.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog
Kingsoft WPS Office Path Traversal Vulnerability
SchwachstelleKingsoft WPS Office contains a path traversal vulnerability in promecefpluginhost.exe on Windows that allows an attacker to load an arbitrary Windows library.
BeschreibungApply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 15.94% | 0.946 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| security@eset.com | 9.3 | 0 | 0 |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:L/U:X
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.