URL injection in Driva inSync 6.9.0 for MacOS, allows attackers to force a visit to an arbitrary url via the port parameter to the Electron App.
References
| Link | Resource |
|---|---|
| http://druva.com | Product |
| https://docs.druva.com/Knowledge_Base/Security_Update/Security_Advisory_for_inSync_Client_7.0.1_and_before | Vendor Advisory |
| https://imhotepisinvisible.com/druva-lpe/ | Exploit Patch Technical Description Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
20 Jul 2022, 15:56
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-74 | |
| CVSS |
v2 : v3 : |
v2 : 4.6
v3 : 7.8 |
| CPE | cpe:2.3:a:druva:insync_client:*:*:*:*:*:macos:*:* cpe:2.3:a:druva:insync_client:*:*:*:*:*:windows:*:* cpe:2.3:a:druva:insync_client:*:*:*:*:*:linux:*:* |
|
| References | (MISC) https://docs.druva.com/Knowledge_Base/Security_Update/Security_Advisory_for_inSync_Client_7.0.1_and_before - Vendor Advisory | |
| References | (MISC) https://imhotepisinvisible.com/druva-lpe/ - Exploit, Patch, Technical Description, Third Party Advisory | |
| References | (MISC) http://druva.com - Product |
13 Jul 2022, 17:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
12 Jul 2022, 14:28
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2022-07-12 14:15
Updated : 2024-02-04 22:51
NVD link : CVE-2021-36668
Mitre link : CVE-2021-36668
CVE.ORG link : CVE-2021-36668
JSON object : View
Products Affected
druva
- insync_client
CWE
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')