JVN#84326763: Multiple vulnerabilities in SKYSEA Client View

SKYSEA Client View provided by Sky Co.,LTD. is an Enterprise IT Asset Management Tool.
SKYSEA Client View contains multiple vulnerabilities listed below.

Improper access control in the specific process (CWE-266) CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 7.8 CVE-2024-41139Origin validation error in shared memory data exchanges**** (CWE-346) CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 7.8 CVE-2024-41143Path traversal (CWE-22) CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 7.5 CVE-2024-41726

Impact

• If a user who can log in to the PC where the product’s Windows client is installed places a specially crafted DLL file in a specific folder, arbitrary code may be executed with SYSTEM privilege (CVE-2024-41139)
• An arbitrary process may be executed with SYSTEM privilege by a user who can log in to the PC where the product’s Windows client is installed (CVE-2024-41143)
• An arbitrary executable file may be executed by a user who can log in to the PC where the product’s Windows client is installed (CVE-2024-41726)

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.
The developer has released SKYSEA Client View Ver.19.3 that addresses these vulnerabilities.

Apply the patch
For SKYSEA Client View Ver.17.0 to Ver.19.210.04e, the developer has released patches that contain fixes for these vulnerabilities.
For more details, refer to the information provided by the developer.

Products Affected

CVE-2024-41139

• SKYSEA Client View versions from Ver.6.010.06 to Ver.19.210.04e
  CVE-2024-41143

• SKYSEA Client View versions from Ver.3.013.00 to Ver.19.210.04e
  CVE-2024-41726

• SKYSEA Client View versions from Ver.15.200.13i to Ver.19.210.04e