CVE-2019-12162 — HIGH (7.8)

Vulnerability Description

Upwork Time Tracker 5.2.2.716 doesn't verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the original update.exe.

CVSS Score

7.8

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Upwork	Time Tracker	5.2.2.716

Related Weaknesses (CWE)

CWE-494

References

https://support.upwork.com/hc/en-us/categories/360001180954ProductVendor Advisory
https://vuldb.com/?id.138406Third Party Advisory
https://support.upwork.com/hc/en-us/categories/360001180954ProductVendor Advisory
https://vuldb.com/?id.138406Third Party Advisory

FAQ

What is CVE-2019-12162?

CVE-2019-12162 is a vulnerability with a CVSS score of 7.8 (HIGH). Upwork Time Tracker 5.2.2.716 doesn't verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the origi...

How severe is CVE-2019-12162?

CVE-2019-12162 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-12162?

Check the references section above for vendor advisories and patch information. Affected products include: Upwork Time Tracker.