CVE-2020-7360 — HIGH (7.4) — White Hats Nepal

Q: How severe is CVE-2020-7360?

CVE-2020-7360 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-7360?

Check the references section above for vendor advisories and patch information. Affected products include: Philips Smartcontrol.

Vulnerability Description

An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was released after April 15, 2020. (Note, the version numbering system changed significantly between version 4.3.15 and version 1.0.7.)

CVSS Score

7.4

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Philips	Smartcontrol	<= 4.3.15

Related Weaknesses (CWE)

CWE-427

References

https://blog.vonahi.io/when-the-path-to-system-is-wide-open/ExploitThird Party Advisory
https://blog.vonahi.io/when-the-path-to-system-is-wide-open/ExploitThird Party Advisory

FAQ

What is CVE-2020-7360?

CVE-2020-7360 is a vulnerability with a CVSS score of 7.4 (HIGH). An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing...

How severe is CVE-2020-7360?

CVE-2020-7360 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-7360?

Check the references section above for vendor advisories and patch information. Affected products include: Philips Smartcontrol.