CVE-2019-12162

EUVD-2019-3811
Upwork Time Tracker 5.2.2.716 doesn't verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the original update.exe.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 22%
Affected Products (NVD)
VendorProductVersion
upworktime_tracker
5.2.2.716
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://support.upwork.com/hc/en-us/categories/360001180954
https://vuldb.com/?id.138406
https://support.upwork.com/hc/en-us/categories/360001180954
https://vuldb.com/?id.138406