CVE-2024-6473
DLL Hijacking in Yandex Browser
Severity Score
8.4
*CVSS v4
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track*
*SSVC
Descriptions
Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.
*Credits:
Doctor Web, Ltd.
CVSS Scores
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
System
Vulnerable | Subsequent
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track*
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-07-03 CVE Reserved
- 2024-09-03 CVE Published
- 2024-09-03 CVE Updated
- 2024-09-06 EPSS Updated
- 2024-11-02 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-426: Untrusted Search Path
CAPEC
- CAPEC-233: Privilege Escalation
References (2)
| URL | Tag | Source |
|---|---|---|
| https://yandex.com/bugbounty/i/hall-of-fame-browser |
| URL | Date | SRC |
|---|---|---|
| https://github.com/12345qwert123456/CVE-2024-6473-PoC | 2024-11-02 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Yandex Search vendor "Yandex" | Browser Search vendor "Yandex" for product "Browser" | < 24.7.1.380 Search vendor "Yandex" for product "Browser" and version " < 24.7.1.380" | en |
Affected
| ||||||