Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2024-36495
PUBLISHED
More InfoOfficial Page
Assigner-SEC-VLab
Assigner Org ID-551230f0-3615-47bd-b7cc-93e92e730bbf
View Known Exploited Vulnerability (KEV) details
Published At-24 Jun, 2024 | 08:50
Updated At-13 Feb, 2025 | 17:52
Rejected At-
▼CVE Numbering Authority (CNA)
Read/Write Permissions for Everyone on Configuration File

The application Faronics WINSelect (Standard + Enterprise) saves its configuration in an encrypted file on the file system which "Everyone" has read and write access to, path to file: C:\ProgramData\WINSelect\WINSelect.wsd The path for the affected WINSelect Enterprise configuration file is: C:\ProgramData\Faronics\StorageSpace\WS\WINSelect.wsd

Affected Products
Vendor
Faronics
Product
WINSelect (Standard + Enterprise)
Default Status
affected
Versions
Unaffected
  • 8.30.xx.903 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-276CWE-276 Incorrect Default Permissions
Type: CWE
CWE ID: CWE-276
Description: CWE-276 Incorrect Default Permissions
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-75CAPEC-75 Manipulating Writeable Configuration Files
CAPEC ID: CAPEC-75
Description: CAPEC-75 Manipulating Writeable Configuration Files
Solutions

The vendor provides a patched version 8.30.xx.903 since May 2024 which can be downloaded from the following URL: https://www.faronics.com/document-library/document/download-winselect-standard   The vendor provided the following changelog: https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes

Configurations
Workarounds
Exploits
Credits
finder
Daniel Hirschberger | SEC Consult Vulnerability Lab
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://r.sec-consult.com/winselect
third-party-advisory
https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes
release-notes
http://seclists.org/fulldisclosure/2024/Jun/12
N/A
Hyperlink: https://r.sec-consult.com/winselect
Resource:
third-party-advisory
Hyperlink: https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes
Resource:
release-notes
Hyperlink: http://seclists.org/fulldisclosure/2024/Jun/12
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
faronics
Product
winselect
CPEs
  • cpe:2.3:a:faronics:winselect:*:*:*:*:*:*:*:*
Default Status
affected
Versions
Unaffected
  • From 0 before 8.30.xx.903 (custom)
Metrics
VersionBase scoreBase severityVector
3.17.7HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Version: 3.1
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://r.sec-consult.com/winselect
third-party-advisory
x_transferred
https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes
release-notes
x_transferred
http://seclists.org/fulldisclosure/2024/Jun/12
x_transferred
Hyperlink: https://r.sec-consult.com/winselect
Resource:
third-party-advisory
x_transferred
Hyperlink: https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes
Resource:
release-notes
x_transferred
Hyperlink: http://seclists.org/fulldisclosure/2024/Jun/12
Resource:
x_transferred
Details not found