Unquoted path or search item vulnerability in SugarSync

Posted date 03/05/2024
Identificador
INCIBE-2024-0222
Importance
4 - High
Affected Resources

SugarSync, versions lower than 4.1.3.

Description

INCIBE has coordinated the publication of a high severity vulnerability affecting SugarSync Inc, a cloud-based document storage and synchronization service, in versions lower than 4.1.3, which has been discovered by Jorge Manuel Lozano Gómez.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2024-4461: 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CWE-428.
Solution

There is no reported solution at this time.

Detail

CVE-2024-4461: unquoted path or search item vulnerability in SugarSync versions prior to 4.1.3 for Windows. This misconfiguration could allow an unauthorized local user to inject arbitrary code into the unquoted service path, resulting in privilege escalation.

References list