Details of VAR-202203-2055

ID

VAR-202203-2055

TITLE

(0Day) Ecava IntegraXor Inkscape EMF File Parsing Out-Of-Bound Write Remote Code Execution Vulnerability

Trust: 0.7

sources: ZDI: ZDI-22-491

DESCRIPTION

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ecava IntegraXor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of EMF files within the Inkscape component. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current process.

Trust: 0.7

sources: ZDI: ZDI-22-491

AFFECTED PRODUCTS

vendor:

ecava

model:

integraxor

scope:

version:

Trust: 0.7

sources: ZDI: ZDI-22-491

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	ZDI-22-491
value:	HIGH
Trust: 0.7

ZDI:	ZDI-22-491
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-22-491

EXTERNAL IDS

db:	ZDI_CAN	id:	ZDI-CAN-14445	Trust: 0.7
db:	ZDI	id:	ZDI-22-491	Trust: 0.7

sources: ZDI: ZDI-22-491

CREDITS

Tran Van Khang - khangkito (VinCSS)

Trust: 0.7

sources: ZDI: ZDI-22-491

SOURCES

db:

ZDI

id:

ZDI-22-491

LAST UPDATE DATE

2022-05-17T02:08:52.093000+00:00

SOURCES UPDATE DATE

db:

ZDI

id:

ZDI-22-491

date:

2022-03-29T00:00:00

SOURCES RELEASE DATE

db:

ZDI

id:

ZDI-22-491

date:

2022-03-09T00:00:00