Vulnerability Description
The autoupdate implementation in TimeDoctor Pro 1.4.72.3 on Windows relies on unsigned installer files that are retrieved without use of SSL, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted file.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Timedoctor | Timedoctor | 1.4.72.3 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2015/Jun/105Exploit
- http://www.securityfocus.com/archive/1/535881/100/700/threaded
- http://www.securityfocus.com/bid/75572
- http://seclists.org/fulldisclosure/2015/Jun/105Exploit
- http://www.securityfocus.com/archive/1/535881/100/700/threaded
- http://www.securityfocus.com/bid/75572
FAQ
What is CVE-2015-4674?
CVE-2015-4674 is a vulnerability with a CVSS score of 9.3 (HIGH). The autoupdate implementation in TimeDoctor Pro 1.4.72.3 on Windows relies on unsigned installer files that are retrieved without use of SSL, which makes it easier for man-in-the-middle attackers to e...
How severe is CVE-2015-4674?
CVE-2015-4674 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-4674?
Check the references section above for vendor advisories and patch information. Affected products include: Timedoctor Timedoctor.