CVE-2019-12574

Published: Jul 11, 2019Modified: Nov 21, 2024

7.8

Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v1.0 for Windows could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The PIA client is vulnerable to a DLL injection vulnerability during the software update process. The updater loads several libraries from a folder that authenticated users have write access to. A low privileged user can leverage this vulnerability to execute arbitrary code as SYSTEM.

Affected (1)

Products: Londontrustmedia: Private Internet Access Vpn Client

Londontrustmedia

1 product

Private Internet Access Vpn Client

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Londontrustmedia Private Internet Access Vpn Client	Version 1.0

Running on/with	Platform Versions
Microsoft Windows	All versions

Related CWEs

Untrusted Search Path

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

References (2)

https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12574.txt

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12574.txt

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.