CVE-2020-35152 – Privilege escalation through unquoted service binary path on Cloudflare WARP for Windows
https://notcve.org/view.php?id=CVE-2020-35152
Cloudflare WARP for Windows allows privilege escalation due to an unquoted service path. A malicious user or process running with non-administrative privileges can become an administrator by abusing the unquoted service path issue. Since version 1.2.2695.1, the vulnerability was fixed by adding quotes around the service's binary path. This issue affects Cloudflare WARP for Windows, versions prior to 1.2.2695.1. Cloudflare WARP para Windows permite un escalada de privilegios debido a una ruta de servicio sin comillas. • https://github.com/cloudflare/advisories/security/advisories/GHSA-qc57-v5q8-f22h • CWE-428: Unquoted Search Path or Element •
CVE-2020-24356 – Local Privilege Escalation in cloudflared
https://notcve.org/view.php?id=CVE-2020-24356
`cloudflared` versions prior to 2020.8.1 contain a local privilege escalation vulnerability on Windows systems. When run on a Windows system, `cloudflared` searches for configuration files which could be abused by a malicious entity to execute commands as a privileged user. Version 2020.8.1 fixes this issue. "cloudflared" versiones anteriores a 2020.8.1, contiene una vulnerabilidad de escalada de privilegios local en los sistemas Windows. Cuando se ejecuta en un sistema Windows, "cloudflared" busca archivos de configuración que podrían ser abusados ?? • https://github.com/cloudflare/cloudflared/security/advisories/GHSA-hgwp-4vp4-qmm2 • CWE-427: Uncontrolled Search Path Element •
CVE-2017-7235
https://notcve.org/view.php?id=CVE-2017-7235
An issue was discovered in cloudflare-scrape 1.6.6 through 1.7.1. A malicious website owner could craft a page that executes arbitrary Python code against any cfscrape user who scrapes that website. This is fixed in 1.8.0. Se ha descubierto un problema en cloudflare-scrape 1.6.6 hasta la versión 1.7.1. Un propietario de un sitio web malicioso podría manipular una página que ejecuta código Python arbitrario contra cualquier usuario cfscrape que roce dicho sitio web. esto está solucionado en la versión 1.8.0. • http://www.securityfocus.com/bid/97191 https://github.com/Anorov/cloudflare-scrape/issues/97 https://github.com/Anorov/cloudflare-scrape/releases/tag/1.8.0 • CWE-20: Improper Input Validation •