3 results (0.021 seconds)

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

ProtonVPN before 3.2.10 on Windows mishandles the drive installer path, which should use this: '"' + ExpandConstant('{autopf}\Proton\Drive') + '"' in Setup/setup.iss. ProtonVPN anterior a 3.2.10 en Windows maneja mal la ruta del instalador de la unidad, que debería usar esto: '"' + ExpandConstant('{autopf}\Proton\Drive') + '"' en Setup/setup.iss. • https://github.com/ProtonVPN/win-app/commit/2e4e25036842aaf48838c6a59f14671b86c20aa7 https://github.com/ProtonVPN/win-app/compare/3.2.9...3.2.10 •

CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1

An exploitable code execution vulnerability exists in the connect functionality of ProtonVPN VPN client 1.5.1. A specially crafted configuration file can cause a privilege escalation, resulting in the ability to execute arbitrary commands with the system's privileges. Existe una vulnerabilidad explotable de ejecución de código en la funcionalidad de conexión del cliente VPN ProtonVPN 1.5.1. Un archivo de configuración especialmente manipulado podría provocar un escalado de privilegios, lo que resulta en la capacidad de ejecutar comandos arbitrarios con los privilegios del sistema. • http://www.securityfocus.com/bid/105319 https://talosintelligence.com/vulnerability_reports/TALOS-2018-0679 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

ProtonVPN 1.3.3 for Windows suffers from a SYSTEM privilege escalation vulnerability through the "ProtonVPN Service" service. This service establishes an NetNamedPipe endpoint that allows arbitrary installed applications to connect and call publicly exposed methods. The "Connect" method accepts a class instance argument that provides attacker control of the OpenVPN command line. An attacker can specify a dynamic library plugin that should run for every new VPN connection. This plugin will execute code in the context of the SYSTEM user. • https://github.com/VerSprite/research/blob/master/advisories/VS-2018-017.md • CWE-732: Incorrect Permission Assignment for Critical Resource •