CVE-2024-7263

Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.17115 (exclusive) on Windows allows an attacker to load an arbitrary Windows library. The patch released in version 12.1.0.17119 to mitigate CVE-2024-7262 was not restrictive enough. Another parameter was not properly sanitized which leads to the execution of an arbitrary Windows library.
References
Link Resource
https://www.wps.com/whatsnew/pc/20240422/ Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:kingsoft:wps_office:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

22 Aug 2024, 06:15

Type Values Removed Values Added
Summary (en) Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.17153 (exclusive) on Windows allows an attacker to load an arbitrary Windows library. The patch released in version 12.2.0.16909 to mitigate CVE-2024-7262 was not restrictive enough. Another parameter was not properly sanitized which leads to the execution of an arbitrary Windows library. (en) Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.17115 (exclusive) on Windows allows an attacker to load an arbitrary Windows library. The patch released in version 12.1.0.17119 to mitigate CVE-2024-7262 was not restrictive enough. Another parameter was not properly sanitized which leads to the execution of an arbitrary Windows library.

16 Aug 2024, 14:25

Type Values Removed Values Added
CPE cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
cpe:2.3:a:kingsoft:wps_office:*:*:*:*:*:*:*:*
First Time Microsoft
Kingsoft wps Office
Microsoft windows
Kingsoft
Summary
  • (es) La validación de ruta incorrecta en promecefpluginhost.exe en la versión Kingsoft WPS Office que va desde 12.2.0.13110 a 12.2.0.17153 (exclusiva) en Windows permite a un atacante cargar una librería arbitraria de Windows. El parche lanzado en la versión 12.2.0.16909 para mitigar CVE-2024-7262 no era lo suficientemente restrictivo. Otro parámetro no se desinfectó adecuadamente, lo que lleva a la ejecución de una librería arbitraria de Windows.
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8
References () https://www.wps.com/whatsnew/pc/20240422/ - () https://www.wps.com/whatsnew/pc/20240422/ - Vendor Advisory

16 Aug 2024, 08:15

Type Values Removed Values Added
Summary (en) Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.13489 on Windows allows an attacker to load an arbitrary Windows library. The patch released in version 12.2.0.16909 to mitigate CVE-2024-7262 was not restrictive enough. Another hyperlink parameter was not properly sanitized which leads to the execution of an arbitrary Windows library. (en) Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.17153 (exclusive) on Windows allows an attacker to load an arbitrary Windows library. The patch released in version 12.2.0.16909 to mitigate CVE-2024-7262 was not restrictive enough. Another parameter was not properly sanitized which leads to the execution of an arbitrary Windows library.

15 Aug 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-15 15:15

Updated : 2024-08-22 06:15


NVD link : CVE-2024-7263

Mitre link : CVE-2024-7263

CVE.ORG link : CVE-2024-7263


JSON object : View

Products Affected

microsoft

  • windows

kingsoft

  • wps_office
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')