Code Injection in Slack Technologies, Inc. products - #VU46184
Published: September 1, 2020
Vulnerability identifier: #VU46184
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Slack for Windows
Slack for macOS
Slack for Linux
Slack for Windows
Slack for macOS
Slack for Linux
Software vendor:
Slack Technologies, Inc.
Slack Technologies, Inc.
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when processing input passed to the application. A remote attacker can create a specially crafted web page, share a specially crafted post with the victim, trick the victim into clicking on a link or image and execute arbitrary code on the system with privilege of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install updates from vendor's website.