Risk | High |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2019-12171 |
CWE-ID | CWE-327 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Dropbox for Windows Client/Desktop applications / File managers, FTP clients |
Vendor | Dropbox |
Security Bulletin
This security bulletin contains one high risk vulnerability.
EUVDB-ID: #VU35750
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12171
CWE-ID:
CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Dropbox desktop application 71.4.108.0 store cleartext credentials in memory upon successful login or new account creation. These are not securely freed in the running process.
MitigationInstall update from vendor's website.
Vulnerable software versionsDropbox for Windows: 71.4.108.0
External linkshttp://drive.google.com/open?id=1DCGurwRTu0HsUpTglVR0jgItZNqqDm_5
http://drive.google.com/open?id=1msz6pb08crPC0VT7s_Z_KTsKm9CbLJEXNsmRwzoNLy8
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.