CVE-2024-3460

14.05.2024, 15:41

In KioWare for Windows (versions all through 8.34)it is possible to exit this softwareand use other already opened applications utilizing a short time window before the forced automatic logout occurs. Then, by using some built-in function of these applications, one may launch any other programs.
In order to exploit this vulnerability external applications must be left running when the KioWare software is launched. Additionally, an attacker must knowthe PIN set for this Kioware instance and also slow down the application with some specific task which extends the usable time window.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.4 HIGH	LOCAL	HIGH	NONE	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CERT-PL	CNA	7.4 HIGH	LOCAL	HIGH	NONE	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Vendor	Product	Version
kioware	kioware	𝑥 ≤ 8.34
kioware	kioware	𝑥 ≤ 8.34

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-424 - Improper Protection of Alternate Path
The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.

References

https://cert.pl/en/posts/2024/04/CVE-2024-3459

https://cert.pl/posts/2024/04/CVE-2024-3459

https://www.kioware.com/

https://cert.pl/en/posts/2024/04/CVE-2024-3459

https://cert.pl/posts/2024/04/CVE-2024-3459

https://www.kioware.com/