Page 4 of 37 results (0.006 seconds)

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

Asana Desktop before 1.6.0 allows remote attackers to exfiltrate local files if they can trick the Asana desktop app into loading a malicious web page. Asana Desktop versiones anteriores a 1.6.0, permite a atacantes remotos exfiltrar archivos locales si consiguen engañar a la aplicación de escritorio Asana para que cargue una página web maliciosa • https://asana.com https://forum.asana.com/t/asana-desktop-app-security-update/160477 • CWE-552: Files or Directories Accessible to External Parties •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Element Desktop is a Matrix client for desktop platforms with Element Web at its core. Element Desktop before 1.9.7 is vulnerable to a remote program execution bug with user interaction. The exploit is non-trivial and requires clicking on a malicious link, followed by another button click. To the best of our knowledge, the vulnerability has never been exploited in the wild. If you are using Element Desktop < 1.9.7, we recommend upgrading at your earliest convenience. • https://github.com/vector-im/element-desktop/commit/89b1e39b801655e595337708d4319ba4313feafa https://github.com/vector-im/element-desktop/security/advisories/GHSA-mjrg-9f8r-h3m7 • CWE-416: Use After Free •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

Due to a bug with management of handles in OVRServiceLauncher.exe, an attacker could expose a privileged process handle to an unprivileged process, leading to local privilege escalation. This issue affects Oculus Desktop versions after 1.39 and prior to 31.1.0.67.507. Debido a un bug en la administración de los manejadores en el archivo OVRServiceLauncher.exe, un atacante podría exponer un manejador de proceso privilegiado a un proceso no privilegiado, conllevando a una escalada de privilegios local. Este problema afecta a Oculus Desktop versiones posteriores a 1.39 y anteriores a 31.1.0.67.507. • https://www.facebook.com/security/advisories/cve-2021-24038 • CWE-269: Improper Privilege Management •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 2

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0. • https://github.com/nextcloud/desktop/pull/3338 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f5fr-5gcv-6cc5 https://hackerone.com/reports/1189162 https://www.debian.org/security/2021/dsa-4974 • CWE-295: Improper Certificate Validation •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

Docker Desktop before 3.6.0 suffers from incorrect access control. If a low-privileged account is able to access the server running the Windows containers, it can lead to a full container compromise in both process isolation and Hyper-V isolation modes. This security issue leads an attacker with low privilege to read, write and possibly even execute code inside the containers. Docker Desktop versiones anteriores a 3.6.0, sufre de un control de acceso incorrecto. Si una cuenta poco privilegiada es capaz de acceder al servidor que ejecuta los contenedores de Windows, puede conllevar a un compromiso del contenedor completo en los modos de aislamiento de procesos y de aislamiento de Hyper-V. • https://docs.docker.com/docker-for-windows/release-notes • CWE-732: Incorrect Permission Assignment for Critical Resource •