2 results (0.008 seconds)

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

ProtonVPN before 3.2.10 on Windows mishandles the drive installer path, which should use this: '"' + ExpandConstant('{autopf}\Proton\Drive') + '"' in Setup/setup.iss. ProtonVPN anterior a 3.2.10 en Windows maneja mal la ruta del instalador de la unidad, que debería usar esto: '"' + ExpandConstant('{autopf}\Proton\Drive') + '"' en Setup/setup.iss. • https://github.com/ProtonVPN/win-app/commit/2e4e25036842aaf48838c6a59f14671b86c20aa7 https://github.com/ProtonVPN/win-app/compare/3.2.9...3.2.10 •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

ProtonVPN 1.3.3 for Windows suffers from a SYSTEM privilege escalation vulnerability through the "ProtonVPN Service" service. This service establishes an NetNamedPipe endpoint that allows arbitrary installed applications to connect and call publicly exposed methods. The "Connect" method accepts a class instance argument that provides attacker control of the OpenVPN command line. An attacker can specify a dynamic library plugin that should run for every new VPN connection. This plugin will execute code in the context of the SYSTEM user. • https://github.com/VerSprite/research/blob/master/advisories/VS-2018-017.md • CWE-732: Incorrect Permission Assignment for Critical Resource •