{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2023-7270","assignerOrgId":"551230f0-3615-47bd-b7cc-93e92e730bbf","state":"PUBLISHED","assignerShortName":"SEC-VLab","dateReserved":"2024-06-17T06:58:43.143Z","datePublished":"2024-06-27T09:28:21.528Z","dateUpdated":"2025-02-13T17:27:05.773Z"},"containers":{"cna":{"affected":[{"defaultStatus":"affected","product":"Office","vendor":"SoftMaker Software GmbH","versions":[{"status":"unaffected","version":"2024 / NX, revision 1214"}]},{"defaultStatus":"affected","product":"FreeOffice","vendor":"SoftMaker Software GmbH","versions":[{"status":"unaffected","version":"2024, revision 1215"}]},{"defaultStatus":"affected","product":"FreeOffice","vendor":"SoftMaker Software GmbH","versions":[{"status":"affected","version":"2021 revision 1068"}]}],"credits":[{"lang":"en","type":"finder","value":"Michael Baer | SEC Consult Vulnerability Lab"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div><p>An issue was discovered in SoftMaker Office 2024 / NX before revision 1214 and SoftMaker FreeOffice 2014 before revision 1215. FreeOffice 2021 is also affected, but won't be fixed.</p><p></p></div><p>The SoftMaker Office and FreeOffice MSI installer files were found to\n produce a visible conhost.exe window running as the SYSTEM user when \nusing the repair function of msiexec.exe.&nbsp;<span style=\"background-color: var(--wht);\">This allows a local, \nlow-privileged attacker to use a chain of actions, to open a fully \nfunctional cmd.exe with the privileges of the SYSTEM user.</span></p>"}],"value":"An issue was discovered in SoftMaker Office 2024 / NX before revision 1214 and SoftMaker FreeOffice 2014 before revision 1215. FreeOffice 2021 is also affected, but won't be fixed.\n\n\n\n\n\nThe SoftMaker Office and FreeOffice MSI installer files were found to\n produce a visible conhost.exe window running as the SYSTEM user when \nusing the repair function of msiexec.exe. This allows a local, \nlow-privileged attacker to use a chain of actions, to open a fully \nfunctional cmd.exe with the privileges of the SYSTEM user."}],"impacts":[{"capecId":"CAPEC-234","descriptions":[{"lang":"en","value":"CAPEC-234 Hijacking a privileged process"}]}],"providerMetadata":{"orgId":"551230f0-3615-47bd-b7cc-93e92e730bbf","shortName":"SEC-VLab","dateUpdated":"2024-07-04T06:06:02.598Z"},"references":[{"tags":["exploit","third-party-advisory"],"url":"https://r.sec-consult.com/softmaker"},{"tags":["patch"],"url":"https://softmaker.de/download/servicepacks"},{"tags":["patch"],"url":"https://www.freeoffice.com/de/download/servicepacks"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/5"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>The vendor provides a service pack version 1214 for SoftMaker Office 2024 and SofMaker Office NX, which can be downloaded from:<br><a target=\"_blank\" rel=\"nofollow\" href=\"https://softmaker.de/download/servicepacks\">https://softmaker.de/download/servicepacks</a></p><p>FreeOffice 2024 revision 1215:<br><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.freeoffice.com/de/download/servicepacks\">https://www.freeoffice.com/de/download/servicepacks</a></p><p>FreeOffice 2021 is unsupported and will not be fixed according to the vendor.</p><br>"}],"value":"The vendor provides a service pack version 1214 for SoftMaker Office 2024 and SofMaker Office NX, which can be downloaded from:\n https://softmaker.de/download/servicepacks \n\nFreeOffice 2024 revision 1215:\n https://www.freeoffice.com/de/download/servicepacks \n\nFreeOffice 2021 is unsupported and will not be fixed according to the vendor."}],"source":{"discovery":"UNKNOWN"},"title":"Local Privilege Escalation via MSI installer","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-266","lang":"en","description":"CWE-266 Incorrect Privilege Assignment"}]}],"affected":[{"vendor":"softmaker","product":"softmaker_office","cpes":["cpe:2.3:a:softmaker:softmaker_office:2021:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"2024","status":"affected"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.3,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","integrityImpact":"LOW","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"LOW","privilegesRequired":"LOW","confidentialityImpact":"LOW"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-07-23T13:11:41.264519Z","id":"CVE-2023-7270","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-07-23T13:28:56.487Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T08:57:35.070Z"},"title":"CVE Program Container","references":[{"tags":["exploit","third-party-advisory","x_transferred"],"url":"https://r.sec-consult.com/softmaker"},{"tags":["patch","x_transferred"],"url":"https://softmaker.de/download/servicepacks"},{"tags":["patch","x_transferred"],"url":"https://www.freeoffice.com/de/download/servicepacks"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/5","tags":["x_transferred"]}]}]},"dataVersion":"5.1"}