CVE-2023-45883 - OpenCVE

A privilege escalation vulnerability exists within the Qumu Multicast Extension v2 before 2.0.63 for Windows. When a standard user triggers a repair of the software, a pop-up window opens with SYSTEM privileges. Standard users may use this to gain arbitrary code execution as SYSTEM.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Enghouse	Qumu
Microsoft	Windows

Configuration 1 [-]

AND

cpe:2.3:a:enghouse:qumu:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://hackandpwn.com/disclosures/CVE-2023-45883.pdf
https://www.vidyo.com/enterprise-video-management/qumu

History

Thu, 12 Sep 2024 20:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-269

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-10-19T00:00:00

Updated: 2024-09-12T18:26:21.567Z

Reserved: 2023-10-15T00:00:00

Link: CVE-2023-45883

Vulnrichment

Updated: 2024-08-02T20:29:32.609Z

NVD

Status : Modified

Published: 2023-10-19T13:15:10.447

Modified: 2024-09-12T19:35:04.833

Link: CVE-2023-45883

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-45883", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-09-12T18:26:21.567Z", "dateReserved": "2023-10-15T00:00:00", "datePublished": "2023-10-19T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-10-19T12:52:00.893101"}, "descriptions": [{"lang": "en", "value": "A privilege escalation vulnerability exists within the Qumu Multicast Extension v2 before 2.0.63 for Windows. When a standard user triggers a repair of the software, a pop-up window opens with SYSTEM privileges. Standard users may use this to gain arbitrary code execution as SYSTEM."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.vidyo.com/enterprise-video-management/qumu"}, {"url": "https://hackandpwn.com/disclosures/CVE-2023-45883.pdf"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:29:32.609Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.vidyo.com/enterprise-video-management/qumu", "tags": ["x_transferred"]}, {"url": "https://hackandpwn.com/disclosures/CVE-2023-45883.pdf", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-269", "lang": "en", "description": "CWE-269 Improper Privilege Management"}]}], "affected": [{"vendor": "qumu", "product": "mulitcast_extension", "cpes": ["cpe:2.3:a:qumu:mulitcast_extension:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.0.63", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-12T18:23:42.516777Z", "id": "CVE-2023-45883", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T18:26:21.567Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.vidyo.com/enterprise-video-management/qumu", "tags": ["x_transferred"]}, {"url": "https://hackandpwn.com/disclosures/CVE-2023-45883.pdf", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:29:32.609Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-45883", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-12T18:23:42.516777Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:qumu:mulitcast_extension:*:*:*:*:*:*:*:*"], "vendor": "qumu", "product": "mulitcast_extension", "versions": [{"status": "affected", "version": "0", "lessThan": "2.0.63", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T18:26:09.704Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.vidyo.com/enterprise-video-management/qumu"}, {"url": "https://hackandpwn.com/disclosures/CVE-2023-45883.pdf"}], "descriptions": [{"lang": "en", "value": "A privilege escalation vulnerability exists within the Qumu Multicast Extension v2 before 2.0.63 for Windows. When a standard user triggers a repair of the software, a pop-up window opens with SYSTEM privileges. Standard users may use this to gain arbitrary code execution as SYSTEM."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-10-19T12:52:00.893101"}}}, "cveMetadata": {"cveId": "CVE-2023-45883", "state": "PUBLISHED", "dateUpdated": "2024-09-12T18:26:21.567Z", "dateReserved": "2023-10-15T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-10-19T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:enghouse:qumu:*:*:*:*:*:*:*:*", "matchCriteriaId": "1C995409-E387-4294-A583-9CC33321F536", "versionEndExcluding": "2.0.63", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A privilege escalation vulnerability exists within the Qumu Multicast Extension v2 before 2.0.63 for Windows. When a standard user triggers a repair of the software, a pop-up window opens with SYSTEM privileges. Standard users may use this to gain arbitrary code execution as SYSTEM."}, {"lang": "es", "value": "Existe una vulnerabilidad de escalada de privilegios en Qumu Multicast Extension v2 anterior a 2.0.63 para Windows. Cuando un usuario est\u00e1ndar inicia una reparaci\u00f3n del software, se abre una ventana emergente con privilegios de SYSTEM. Los usuarios est\u00e1ndar pueden usar esto para obtener la ejecuci\u00f3n de c\u00f3digo arbitrario como SYSTEM."}], "id": "CVE-2023-45883", "lastModified": "2024-09-12T19:35:04.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-19T13:15:10.447", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://hackandpwn.com/disclosures/CVE-2023-45883.pdf"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.vidyo.com/enterprise-video-management/qumu"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}