CVE-2024-35205

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-35205
The WPS Office (aka cn.wps.moffice_eng) application before 17.0.0 for Android fails to properly sanitize file names before processing them through external application interactions, leading to a form of path traversal. This potentially enables any application to dispatch a crafted library file, aiming to overwrite an existing native library utilized by WPS Office. Successful exploitation could result in the execution of arbitrary commands under the guise of WPS Office's application ID.

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.microsoft.com/en-us/security/blog/2024/05/01/dirty-stream-attack-discovering-and-mitigating-a-common-vulnerability-pattern-in-android-apps/
https://www.microsoft.com/en-us/security/blog/2024/05/01/dirty-stream-attack-discovering-and-mitigating-a-common-vulnerability-pattern-in-android-apps/
Configurations

No configuration.

History

21 Nov 2024, 09:19

Type Values Removed Values Added
References () https://www.microsoft.com/en-us/security/blog/2024/05/01/dirty-stream-attack-discovering-and-mitigating-a-common-vulnerability-pattern-in-android-apps/ - () https://www.microsoft.com/en-us/security/blog/2024/05/01/dirty-stream-attack-discovering-and-mitigating-a-common-vulnerability-pattern-in-android-apps/ -

20 Aug 2024, 14:35

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8
Summary
  • (es) La aplicación WPS Office (también conocida como cn.wps.moffice_eng) anterior a 17.0.0 para Android no sanitiza adecuadamente los nombres de los archivos antes de procesarlos a través de interacciones de aplicaciones externas, lo que genera una forma de Path Traversal. Potencialmente, esto permite que cualquier aplicación envíe un archivo de librería manipulado, con el objetivo de sobrescribir una librería nativa existente utilizada por WPS Office. La explotación exitosa podría resultar en la ejecución de comandos arbitrarios bajo la apariencia del ID de la aplicación de WPS Office.
CWE CWE-22

14 May 2024, 15:39

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-14 15:39

Updated : 2024-11-21 09:19

NVD link : CVE-2024-35205

Mitre link : CVE-2024-35205

CVE.ORG link : CVE-2024-35205

JSON object : View

Products Affected

No product.

CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024