Vulnerability Details CVE-2020-12431
A Windows privilege change issue was discovered in Splashtop Software Updater before 1.5.6.16. Insecure permissions on the configuration file and named pipe allow for local privilege escalation to NT AUTHORITY/SYSTEM, by forcing a permission change to any Splashtop files and directories, with resultant DLL hijacking. This product is bundled with Splashtop Streamer (before 3.3.8.0) and Splashtop Business (before 3.3.8.0).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 4.6%
CVSS Severity
CVSS v3 Score 6.6
CVSS v2 Score 6.3
References
- https://improsec.com/tech-blog/privilege-escalation-vulnerability-in-splashtop-streamer
- https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/360042648231-Splashtop-Streamer-version-3-3-8-0-for-Windows-released-includes-SOS-version-3-3-8-0
- https://improsec.com/tech-blog/privilege-escalation-vulnerability-in-splashtop-streamer
- https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/360042648231-Splashtop-Streamer-version-3-3-8-0-for-Windows-released-includes-SOS-version-3-3-8-0
Products affected by CVE-2020-12431
-
cpe:2.3:a:splashtop:software_updater:-
-
cpe:2.3:a:splashtop:streamer:*