CVE-2020-15261 — HIGH (8.0)

Q: How severe is CVE-2020-15261?

CVE-2020-15261 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-15261?

Check the references section above for vendor advisories and patch information. Affected products include: Veyon Veyon, Microsoft Windows.

Vulnerability Description

On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administrative privileges, this vulnerability is only dangerous in anyway unsafe setups. The problem has been fixed in version 4.4.2. As a workaround, the exploitation of the vulnerability can be prevented by revoking administrative privileges from all potentially untrustworthy users.

CVSS Score

8.0

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Veyon	Veyon	< 4.4.2
Microsoft	Windows	-

Related Weaknesses (CWE)

CWE-428

References

http://packetstormsecurity.com/files/162873/Veyon-4.4.1-Unquoted-Service-Path.htExploitThird Party AdvisoryVDB Entry
https://github.com/veyon/veyon/commit/f231ec511b9a09f43f49b2c7bb7c60b8046276b1PatchThird Party Advisory
https://github.com/veyon/veyon/issues/657Issue TrackingThird Party Advisory
https://github.com/veyon/veyon/security/advisories/GHSA-c8cc-x786-hqqpThird Party Advisory
https://www.exploit-db.com/exploits/48246ExploitThird Party AdvisoryVDB Entry
https://www.exploit-db.com/exploits/49925ExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/162873/Veyon-4.4.1-Unquoted-Service-Path.htExploitThird Party AdvisoryVDB Entry
https://github.com/veyon/veyon/commit/f231ec511b9a09f43f49b2c7bb7c60b8046276b1PatchThird Party Advisory
https://github.com/veyon/veyon/issues/657Issue TrackingThird Party Advisory
https://github.com/veyon/veyon/security/advisories/GHSA-c8cc-x786-hqqpThird Party Advisory
https://www.exploit-db.com/exploits/48246ExploitThird Party AdvisoryVDB Entry
https://www.exploit-db.com/exploits/49925ExploitThird Party AdvisoryVDB Entry

FAQ

What is CVE-2020-15261?

CVE-2020-15261 is a vulnerability with a CVSS score of 8.0 (HIGH). On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with...

How severe is CVE-2020-15261?

CVE-2020-15261 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-15261?

Check the references section above for vendor advisories and patch information. Affected products include: Veyon Veyon, Microsoft Windows.