EdgeRover Windows App Version 0.25
WDC Tracking Number: WDC-21007
Product Line: EdgeRover
Published: June 10, 2021
Last Updated: June 10, 2021
EdgeRover was vulnerable to an escalation of privileges vulnerability where a low privileged user could load malicious content into directories with higher privileges. This is a vulnerability in our implementation of Node.js that allows an attacker to gain admin privileges and carry out malicious activities such as creating a fake library and stealing user credentials.
Resolved the escalation of privileges vulnerability by fixing the load-modules path and disabling any files that are being loaded from outside locations where any less privileged user could have access and could upload malicious content. The vulnerability is fixed in the latest updated version 0.25.
CVE Number: CVE-2021-33205
Reported by: Xavier Danest