CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37378
https://notcve.org/view.php?id=CVE-2023-37378
Nullsoft Scriptable Install System (NSIS) before 3.09 mishandles access control for an uninstaller directory. • http://sf.net/p/nsis/bugs/1296 https://github.com/kichik/nsis/commit/281e2851fe669d10e0650fc89d0e7fb74a598967 https://github.com/kichik/nsis/commit/409b5841479c44fbf33a6ba97c1146e46f965467 https://github.com/kichik/nsis/commit/c40cf78994e74a1a3a381a850c996b251e3277c0 https://lists.debian.org/debian-lts-announce/2023/07/msg00005.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A65FBUMHLZ7GBV3VDKUB5EK3A7X2UUWK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org& •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1CVE-2015-9267
https://notcve.org/view.php?id=CVE-2015-9267
Nullsoft Scriptable Install System (NSIS) before 2.49 uses temporary folder locations that allow unprivileged local users to overwrite files. This allows a local attack in which either a plugin or the uninstaller can be replaced by a Trojan horse program. Nullsoft Scriptable Install System (NSIS) en versiones anteriores a la 2.49 emplea ubicaciones temporales de carpetas que permiten que usuarios locales sin privilegios sobrescriban archivos. Esto permite un ataque local por el cual un plugin o el desinstalador pueden ser reemplazados por un programa troyano. • http://jvn.jp/en/jp/JVN68418039/index.html https://lists.debian.org/debian-lts-announce/2018/11/msg00041.html https://sourceforge.net/p/nsis/bugs/1125 • CWE-269: Improper Privilege Management •
CVSS: 9.3EPSS: 0%CPEs: 2EXPL: 1CVE-2015-9268
https://notcve.org/view.php?id=CVE-2015-9268
Nullsoft Scriptable Install System (NSIS) before 2.49 has unsafe implicit linking against Version.dll. In other words, there is no protection mechanism in which a wrapper function resolves the dependency at an appropriate time during runtime. Nullsoft Scriptable Install System (NSIS) en versiones anteriores a la 2.49 tiene un enlace implícito inseguro contra Version.dll. En otras palabras, no hay un mecanismo de protección en el que una función wrapper resuelve la dependencia en un momento adecuado durante el tiempo de ejecución. • http://jvn.jp/en/jp/JVN68418039/index.html https://lists.debian.org/debian-lts-announce/2018/11/msg00041.html https://sourceforge.net/p/nsis/bugs/1125 • CWE-20: Improper Input Validation •