Vulnerability Details : CVE-2019-12162
Upwork Time Tracker 5.2.2.716 doesn't verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the original update.exe.
Vulnerability category: Gain privilege
Products affected by CVE-2019-12162
- cpe:2.3:a:upwork:time_tracker:5.2.2.716:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-12162
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-12162
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.6
|
MEDIUM | AV:L/AC:L/Au:N/C:P/I:P/A:P |
3.9
|
6.4
|
NIST | |
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2019-12162
-
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-12162
-
https://support.upwork.com/hc/en-us/categories/360001180954
Apps – Upwork Help CenterProduct;Vendor Advisory
-
https://vuldb.com/?id.138406
Upwork Time Tracker 5.2.2.716 Update SHA256 privilege escalationThird Party Advisory
Jump to