CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
SSVC
Exploitation
poc
Automatable
no
Technical Impact
total
WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it’s loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5.
[
{
"cpes": [
"cpe:2.3:a:wixtoolset_project:burn:*:*:*:*:*:*:*:*"
],
"vendor": "wixtoolset_project",
"product": "burn",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "3.14.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "4.0.0",
"lessThan": "4.0.5",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
SSVC
Exploitation
poc
Automatable
no
Technical Impact
total