Unquoted Search Path or Element

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

CVEs (426)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-8070 - - Jul 25, 2025 Jul 23, 2025 9.2 CRITICAL· v4 N/A· v3 N/A· v2 The Windows service configuration of ABP and AES contains an unquoted ImagePath registry value vulnerability. This allows a local attacker to execute arbitrary code by placing a malicious executable in a predictable loca...Show more The Windows service configuration of ABP and AES contains an unquoted ImagePath registry value vulnerability. This allows a local attacker to execute arbitrary code by placing a malicious executable in a predictable location such as C:\Program.exe. If the service runs with elevated privileges, exploitation results in privilege escalation to SYSTEM level. This vulnerability arises from an unquoted service path affecting systems where the executable resides in a path containing spaces. Affected products and versions include: ABP 2.0.7.6130 and earlier as well as AES 1.0.6.6133 and earlier.Show less
CVE-2025-0035 - - May 13, 2025 May 13, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 Unquoted search path within AMD Cloud Manageability Service can allow a local attacker to escalate privileges, potentially resulting in arbitrary code execution.
CVE-2024-36321 - - May 13, 2025 May 13, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 Unquoted search path within AIM-T Manageability Service can allow a local attacker to escalate privileges, potentially resulting in arbitrary code execution.
CVE-2025-4540 1Lodop 1C Lodop Jul 8, 2025 May 11, 2025 7.3 HIGH· v4 7.0 HIGH· v3 6.0 MEDIUM· v2 A vulnerability was found in MTSoftware C-Lodop 6.6.1.1 on Windows. It has been rated as critical. This issue affects some unknown processing of the component CLodopPrintService. The manipulation leads to unquoted search...Show more A vulnerability was found in MTSoftware C-Lodop 6.6.1.1 on Windows. It has been rated as critical. This issue affects some unknown processing of the component CLodopPrintService. The manipulation leads to unquoted search path. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 6.6.13 is able to address this issue. It is recommended to upgrade the affected component.Show less
CVE-2025-1984 - - Mar 14, 2025 Mar 12, 2025 N/A· v4 5.2 MEDIUM· v3 N/A· v2 Xerox Desktop Print Experience application contains a Local Privilege Escalation (LPE) vulnerability, which allows a low-privileged user to gain SYSTEM-level access.
CVE-2025-0884 - - Mar 12, 2025 Mar 12, 2025 7.3 HIGH· v4 N/A· v3 N/A· v2 Unquoted Search Path or Element vulnerability in OpenText™ Service Manager. The vulnerability could allow a user to gain SYSTEM privileges through Privilege Escalation. This issue affects Service Manager: 9.70, 9.71,...Show more Unquoted Search Path or Element vulnerability in OpenText™ Service Manager. The vulnerability could allow a user to gain SYSTEM privileges through Privilege Escalation. This issue affects Service Manager: 9.70, 9.71, 9.72.Show less
CVE-2025-24831 - - Feb 18, 2025 Jan 31, 2025 N/A· v4 6.6 MEDIUM· v3 N/A· v2 Local privilege escalation due to unquoted search path vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39378.
CVE-2025-21107 1Dell 1Networker Feb 7, 2025 Jan 30, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Dell NetWorker, version(s) prior to 19.11.0.3, all versions of 19.10 & prior versions contain(s) an Unquoted Search Path or Element vulnerability. A low privileged attacker with local access could potentially exploit thi...Show more Dell NetWorker, version(s) prior to 19.11.0.3, all versions of 19.10 & prior versions contain(s) an Unquoted Search Path or Element vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution.Show less
CVE-2024-57276 - - Jan 30, 2025 Jan 27, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 In Electronic Arts Dragon Age Origins 1.05, the DAUpdaterSVC service contains an unquoted service path vulnerability. This service is configured with insecure permissions, allowing users to modify the executable file pat...Show more In Electronic Arts Dragon Age Origins 1.05, the DAUpdaterSVC service contains an unquoted service path vulnerability. This service is configured with insecure permissions, allowing users to modify the executable file path used by the service. The service runs with NT AUTHORITY\SYSTEM privileges, enabling attackers to escalate privileges by replacing or placing a malicious executable in the service path.Show less
CVE-2024-9287 1Python 1Python Nov 3, 2025 Oct 22, 2024 5.3 MEDIUM· v4 7.8 HIGH· v3 N/A· v2 A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment...Show more A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.Show less
CVE-2024-9325 1Intelbras 1Incontrol Web Nov 4, 2024 Sep 29, 2024 8.5 HIGH· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 A vulnerability classified as critical has been found in Intelbras InControl up to 2.21.56. This affects an unknown part of the file C:\Program Files (x86)\Intelbras\Incontrol Cliente\incontrol_webcam\incontrol-service-w...Show more A vulnerability classified as critical has been found in Intelbras InControl up to 2.21.56. This affects an unknown part of the file C:\Program Files (x86)\Intelbras\Incontrol Cliente\incontrol_webcam\incontrol-service-watchdog.exe. The manipulation leads to unquoted search path. It is possible to launch the attack on the local host. Upgrading to version 2.21.58 is able to address this issue. It is recommended to upgrade the affected component. The vendor was informed early on 2024-08-05 about this issue. The release of a fixed version 2.21.58 was announced for the end of August 2024 but then was postponed until 2024-09-20.Show less
CVE-2024-8996 1Grafana 1Agent Oct 1, 2024 Sep 25, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Unquoted Search Path or Element vulnerability in Grafana Agent (Flow mode) on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Agent Flow: before 0.43.2
CVE-2024-8975 1Grafana 1Alloy Dec 26, 2024 Sep 25, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1.
CVE-2024-43457 1Microsoft 1Windows 11 24h2 Sep 17, 2024 Sep 10, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Windows Setup and Deployment Elevation of Privilege Vulnerability
CVE-2022-27592 1Qnap 1Qvr Smart Client Sep 24, 2024 Sep 6, 2024 N/A· v4 6.7 MEDIUM· v3 N/A· v2 An unquoted search path or element vulnerability has been reported to affect QVR Smart Client. If exploited, the vulnerability could allow local authenticated administrators to execute unauthorized code or commands via u...Show more An unquoted search path or element vulnerability has been reported to affect QVR Smart Client. If exploited, the vulnerability could allow local authenticated administrators to execute unauthorized code or commands via unspecified vectors. We have already fixed the vulnerability in the following version: Windows 10 SP1, Windows 11, Mac OS, and Mac M1: QVR Smart Client 2.4.0.0570 and laterShow less
CVE-2024-5963 - - Aug 6, 2024 Aug 6, 2024 N/A· v4 6.7 MEDIUM· v3 N/A· v2 Unquoted Executable Path vulnerability in Hitachi Device Manager on Windows (Device Manager Server component).This issue affects Hitachi Device Manager: before 8.8.7-00.
CVE-2024-31201 1Proges 1Thermoscan Ip Aug 12, 2024 Jul 31, 2024 N/A· v4 6.7 MEDIUM· v3 N/A· v2 A “CWE-428: Unquoted Search Path or Element” affects the ThermoscanIP_Scrutation service. Such misconfiguration could be abused in scenarios where incorrect permissions were assigned to the C:\ path to attempt a privileg...Show more A “CWE-428: Unquoted Search Path or Element” affects the ThermoscanIP_Scrutation service. Such misconfiguration could be abused in scenarios where incorrect permissions were assigned to the C:\ path to attempt a privilege escalation on the local machine.Show less
CVE-2024-5402 1Abb 1Mint Workbench Nov 21, 2024 Jul 15, 2024 6.2 MEDIUM· v4 7.8 HIGH· v3 N/A· v2 Unquoted Search Path or Element vulnerability in ABB Mint Workbench. A local attacker who successfully exploited this vulnerability could gain elevated privileges by inserting an executable file in the path of the aff...Show more Unquoted Search Path or Element vulnerability in ABB Mint Workbench. A local attacker who successfully exploited this vulnerability could gain elevated privileges by inserting an executable file in the path of the affected service. This issue affects Mint Workbench I versions: from 5866 before 5868.Show less
CVE-2024-6080 1Intelbras 1Incontrol Nov 21, 2024 Jun 17, 2024 8.5 HIGH· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 A vulnerability classified as critical was found in Intelbras InControl 2.21.56. This vulnerability affects unknown code of the component incontrolWebcam Service. The manipulation leads to unquoted search path. Local acc...Show more A vulnerability classified as critical was found in Intelbras InControl 2.21.56. This vulnerability affects unknown code of the component incontrolWebcam Service. The manipulation leads to unquoted search path. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. Upgrading to version 2.21.58 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early about this disclosure and plans to provide a solution within the next few weeks.Show less
CVE-2024-2747 1Schneider Electric 1Easergy Studio Nov 21, 2024 Jun 12, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 CWE-428: Unquoted search path or element vulnerability exists in Easergy Studio, which could cause privilege escalation when a valid user replaces a trusted file name on the system and reboots the machine.

Previous 1...111213...22 Next