CVE-2024-24810 — Untrusted Search Path in WIX Toolset

CWE-426 — Untrusted Search Path3 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 84.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Firegiant WIX Toolset Wixtoolset Issues

Timeline

PublishedFeb 7

Latest updateFeb 8

Description

WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges. This impacts any installer built with the WiX installer framework. This issue has been patched in version 4.0.4.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5wixtoolset/issues4.0.3

▶NVDfiregiant/wix_toolset4.0.0 — 4.0.4+1

▶NuGetfiregiant/wix_toolset4.0.0 — 4.0.4+1

🔴Vulnerability Details

GHSA

WiX Toolset's .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges↗2024-02-08

▶

OSV

WiX Toolset's .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges↗2024-02-08

▶