The ON24 ScreenShare (aka DesktopScreenShare.app) plugin before 2.0 for macOS allows remote file access via its built-in HTTP server. This allows unauthenticated remote users to retrieve files accessible to the logged-on macOS user. When a remote user sends a crafted HTTP request to the server, it triggers a code path that will download a configuration file from a specified remote machine over HTTP. There is an XXE flaw in processing of this configuration file that allows reading local (to macOS) files and uploading them to remote machines.
Advisories
| Source | ID | Title |
|---|---|---|
EUVD |
EUVD-2021-21470 | The ON24 ScreenShare (aka DesktopScreenShare.app) plugin before 2.0 for macOS allows remote file access via its built-in HTTP server. This allows unauthenticated remote users to retrieve files accessible to the logged-on macOS user. When a remote user sends a crafted HTTP request to the server, it triggers a code path that will download a configuration file from a specified remote machine over HTTP. There is an XXE flaw in processing of this configuration file that allows reading local (to macOS) files and uploading them to remote machines. |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
No history.
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2024-08-04T00:26:54.032Z
Reserved: 2021-06-17T00:00:00
Link: CVE-2021-34823
No data.
Status : Modified
Published: 2021-08-13T17:15:16.527
Modified: 2024-11-21T06:11:16.377
Link: CVE-2021-34823
No data.
OpenCVE Enrichment
No data.
Weaknesses
EUVD