CVE-2024-24810

2024-02-0703:15:50

CWE-426

[email protected]

web.nvd.nist.gov

wix toolset

dll redirection attacks

installer framework

security vulnerability

patch

cve-2024-24810

8.2 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

7.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.7%

JSON

WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges. This impacts any installer built with the WiX installer framework. This issue has been patched in version 4.0.4.

Affected configurations

Vulners

NVD

Node

wixtoolsetissuesRange≤4.0.3

CPENameOperatorVersion
firegiant:wix_toolsetfiregiant wix toolsetlt3.14.0
firegiant:wix_toolsetfiregiant wix toolsetlt4.0.4

CPE	Name	Operator	Version
firegiant:wix_toolset	firegiant wix toolset	lt	3.14.0
firegiant:wix_toolset	firegiant wix toolset	lt	4.0.4

CNA Affected

[
  {
    "vendor": "wixtoolset",
    "product": "issues",
    "versions": [
      {
        "version": "<= 4.0.3",
        "status": "affected"
      }
    ]
  }
]