Code Injection in Slack Technologies, Inc. products - #VU46184

 

Code Injection in Slack Technologies, Inc. products - #VU46184

Published: September 1, 2020


Vulnerability identifier: #VU46184
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Slack Technologies, Inc.
Affected software:
Slack for Windows
Slack for macOS
Slack for Linux

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation when processing input passed to the application. A remote attacker can create a specially crafted web page, share a specially crafted post with the victim, trick the victim into clicking on a link or image and execute arbitrary code on the system with privilege of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install updates from vendor's website.

Sources