CVE-2021-44426

Published: Sep 12, 2022Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

An issue was discovered in AnyDesk before 6.2.6 and 6.3.x before 6.3.5. An upload of an arbitrary file to a victim's local ~/Downloads/ directory is possible if the victim is using the AnyDesk Windows client to connect to a remote machine, if an attacker is also connected remotely with AnyDesk to the same remote machine. The upload is done without any approval or action taken by the victim.

Affected (2)

Products: Anydesk: Anydesk

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Anydesk Anydesk	Before 6.2.6
Anydesk Anydesk	From 6.3.0 to 6.3.3

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://anydesk.com/en/downloads/windows

Source: cve@mitre.org

ProductVendor Advisory

https://argus-sec.com/discovering-tunneling-service-security-flaws-in-anydesk-remote-application/

Source: cve@mitre.org

ExploitThird Party Advisory

https://anydesk.com/en/downloads/windows

Source: af854a3a-2127-422b-91ae-364da2661108

ProductVendor Advisory

https://argus-sec.com/discovering-tunneling-service-security-flaws-in-anydesk-remote-application/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.