CVE-2021-44426

EUVD-2021-31267
An issue was discovered in AnyDesk before 6.2.6 and 6.3.x before 6.3.5. An upload of an arbitrary file to a victim's local ~/Downloads/ directory is possible if the victim is using the AnyDesk Windows client to connect to a remote machine, if an attacker is also connected remotely with AnyDesk to the same remote machine. The upload is done without any approval or action taken by the victim.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 63%
Affected Products (NVD)
VendorProductVersion
anydeskanydesk
𝑥
< 6.2.6
anydeskanydesk
6.3.0 ≤
𝑥
< 6.3.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://anydesk.com/en/downloads/windows
https://argus-sec.com/discovering-tunneling-service-security-flaws-in-anydesk-remote-application/
https://anydesk.com/en/downloads/windows
https://argus-sec.com/discovering-tunneling-service-security-flaws-in-anydesk-remote-application/