CVE-2024-7262

Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.16412 (exclusive) on Windows allows an attacker to load an arbitrary Windows library. The vulnerability was found weaponized as a single-click exploit in the form of a deceptive spreadsheet document
References
Link Resource
https://www.wps.com/whatsnew/pc/20240422/ Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:kingsoft:wps_office:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

22 Aug 2024, 06:15

Type Values Removed Values Added
Summary (en) Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.13489 (inclusive) on Windows allows an attacker to load an arbitrary Windows library. The vulnerability was found weaponized as a single-click exploit in the form of a deceptive spreadsheet document (en) Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.16412 (exclusive) on Windows allows an attacker to load an arbitrary Windows library. The vulnerability was found weaponized as a single-click exploit in the form of a deceptive spreadsheet document

16 Aug 2024, 14:25

Type Values Removed Values Added
Summary
  • (es) La validación de ruta incorrecta en promecefpluginhost.exe en la versión Kingsoft WPS Office que va desde 12.2.0.13110 a 12.2.0.13489 (incluida) en Windows permite a un atacante cargar una librería arbitraria de Windows. La vulnerabilidad se encontró armada como un exploit de un solo clic en forma de un documento de hoja de cálculo engañoso.
CPE cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
cpe:2.3:a:kingsoft:wps_office:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8
First Time Microsoft
Kingsoft wps Office
Microsoft windows
Kingsoft
References () https://www.wps.com/whatsnew/pc/20240422/ - () https://www.wps.com/whatsnew/pc/20240422/ - Vendor Advisory

16 Aug 2024, 08:15

Type Values Removed Values Added
Summary (en) Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.13489 on Windows allows an attacker to load an arbitrary Windows library. Using the MHTML format allows an attacker to automatically deliver a malicious library on opening the document and a single user click on a crafted hyperlink leads to the execution of the library. (en) Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.13489 (inclusive) on Windows allows an attacker to load an arbitrary Windows library. The vulnerability was found weaponized as a single-click exploit in the form of a deceptive spreadsheet document

15 Aug 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-15 15:15

Updated : 2024-09-05 13:30


NVD link : CVE-2024-7262

Mitre link : CVE-2024-7262

CVE.ORG link : CVE-2024-7262


JSON object : View

Products Affected

microsoft

  • windows

kingsoft

  • wps_office
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')