CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23242 – TeamViewer Linux - Deletion command not properly executed after process crash
https://notcve.org/view.php?id=CVE-2022-23242
TeamViewer Linux versions before 15.28 do not properly execute a deletion command for the connection password in case of a process crash. Knowledge of the crash event and the TeamViewer ID as well as either possession of the pre-crash connection password or local authenticated access to the machine would have allowed to establish a remote connection by reusing the not properly deleted connection password. TeamViewer Linux versiones anteriores a 15.28, no ejecutan correctamente un comando de borrado de la contraseña de conexión en caso de bloqueo del proceso. El conocimiento del evento de bloqueo y el ID de TeamViewer, así como la posesión de la contraseña de conexión anterior al bloqueo o el acceso local autenticado a la máquina, habrían permitido establecer una conexión remota al reusar la contraseña de conexión no eliminada correctamente • https://www.teamviewer.com/en/trust-center/security-bulletins/TV-2022-1001 • CWE-404: Improper Resource Shutdown or Release •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35005 – TeamViewer Improper Validation of Array Index Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-35005
This vulnerability allows local attackers to disclose sensitive information on affected installations of TeamViewer. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the TeamViewer service. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated array. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of SYSTEM. • https://community.teamviewer.com/English/discussion/117794/august-updates-security-patches https://www.zerodayinitiative.com/advisories/ZDI-22-082 • CWE-125: Out-of-bounds Read CWE-129: Improper Validation of Array Index •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-34858 – TeamViewer TVS File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-34858
This vulnerability allows remote attackers to execute arbitrary code on affected installations of TeamViewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of TVS files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://community.teamviewer.com/English/discussion/117794/august-updates-security-patches/p1 https://www.zerodayinitiative.com/advisories/ZDI-21-1001 • CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2021-34803
https://notcve.org/view.php?id=CVE-2021-34803
TeamViewer before 14.7.48644 on Windows loads untrusted DLLs in certain situations. TeamViewer versiones anteriores a 14.7.48644 en Windows carga DLLs no confiables en determinadas situaciones • https://community.teamviewer.com/English/discussion/111147/windows-v9-0-259145 https://community.teamviewer.com/English/discussion/111149/windows-v10-0-259144 https://community.teamviewer.com/English/discussion/111150/windows-v11-0-259143 https://community.teamviewer.com/English/discussion/111151/windows-v12-0-259142 https://community.teamviewer.com/English/discussion/111152/windows-v13-2-36222 https://community.teamviewer.com/English/discussion/111153/windows-v14-2-56678 https://community.teamviewer.com/English/di • CWE-427: Uncontrolled Search Path Element •
CVSS: 8.8EPSS: 20%CPEs: 2EXPL: 1CVE-2020-13699 – TeamViewer Unquoted URI Handler SMB Redirect
https://notcve.org/view.php?id=CVE-2020-13699
TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers. A malicious website could launch TeamViewer with arbitrary parameters, as demonstrated by a teamviewer10: --play URL. An attacker could force a victim to send an NTLM authentication request and either relay the request or capture the hash for offline password cracking. This affects teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1. The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3. • https://github.com/Dilshan-Eranda/CVE-2020-13699 https://community.teamviewer.com/t5/Announcements/Statement-on-CVE-2020-13699/td-p/98448 https://jeffs.sh/CVEs/CVE-2020-13699.txt • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •