|
[Japanese]
|
JVNDB-2024-000098
|
Multiple products from KINGSOFT JAPAN vulnerable to path traversal
|
|
KINGSOFT JAPAN, INC. provides Kingsoft Office Software's WPS Office and its related products localized for Japan.
WPS Office and its related products provided by KINGSOFT JAPAN, INC. contain a path traversal vulnerability (CWE-22, CVE-2024-7262, CVE-2024-7263)) due to inadequate file path validation by promecefpluginhost.exe.
Note that, a report has been published describing that "WPS Office provided by Kingsoft Office Software is affected to this vulnerability and exploitation is observed".
KINGSOFT JAPAN, INC. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and KINGSOFT JAPAN, INC. coordinated under the Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
|
|
|
KINGSOFT, INC.
- KINGSOFT PDF Pro Ver.11.2.0.10696 and earlier
- WPS Cloud (Desktop application for Windows) Ver.11.2.0.10693 and earlier
- WPS Cloud Pro (Desktop application for Windows) Ver.11.2.0.10693 and earlier
- WPS Office2 for Windows Ver.11.2.0.10693 and earlier
|
|
|
If a user clicks on a link embeded in a crafted file, arbitrary code may be executed on the user's Windows system.
|
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
|
|
KINGSOFT, INC.
|
|
- Path Traversal(CWE-22) [IPA Evaluation]
|
|
- CVE-2024-7262
- CVE-2024-7263
|
|
- JVN : JVN#32529796
- Related document : Analysis of two arbitrary code execution vulnerabilities affecting WPS Office
|
|
- [2024/09/06]
Web page was published
|
