Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    6 vulnerabilities

    CVE-2024-8258 (GCVE-0-2024-8258)

    Vulnerability from cvelistv5 – Published: 2024-09-10 08:36 – Updated: 2024-09-10 13:56 X_Electron X_Code Injection X_Macos
    VLAI
    Title
    Insecure Electron Fuses in Logitech Options Plus Allowing Arbitrary Code Execution on macOS
    Summary
    Improper Control of Generation of Code ('Code Injection') in Electron Fuses in Logitech Options Plus version 1.60.496306 on macOS allows attackers to execute arbitrary code via insecure Electron Fuses configuration.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Logitech Logitech Options Plus Affected: 1.60.496306 , < 1.70 (semver)
    Unaffected: 1.70
    Create a notification for this product.
    logitech options_plus Affected: 1.60.496306 , < 1.70 (semver)
        cpe:2.3:a:logitech:options_plus:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-08-30 07:29
    Credits
    Dave F - https://hackerone.com/dave23p
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:logitech:options_plus:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "options_plus",
                "vendor": "logitech",
                "versions": [
                  {
                    "lessThan": "1.70",
                    "status": "affected",
                    "version": "1.60.496306",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8258",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-10T13:54:25.415583Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-10T13:56:50.325Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "MacOS"
              ],
              "product": "Logitech Options Plus",
              "vendor": "Logitech",
              "versions": [
                {
                  "lessThan": "1.70",
                  "status": "affected",
                  "version": "1.60.496306",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "1.70"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Dave F - https://hackerone.com/dave23p"
            }
          ],
          "datePublic": "2024-08-30T07:29:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) in Electron Fuses in Logitech Options Plus version 1.60.496306 on macOS allows attackers to execute arbitrary code via insecure Electron Fuses configuration.\u003cbr\u003e"
                }
              ],
              "value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) in Electron Fuses in Logitech Options Plus version 1.60.496306 on macOS allows attackers to execute arbitrary code via insecure Electron Fuses configuration."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "USER",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 2,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/AU:Y/R:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-10T08:36:34.326Z",
            "orgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
            "shortName": "Logitech"
          },
          "references": [
            {
              "url": "https://www.electronjs.org/docs/latest/tutorial/fuses"
            },
            {
              "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50643"
            },
            {
              "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49314"
            },
            {
              "url": "https://github.com/r3ggi/electroniz3r"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate to Logitech Options Plus version 1.70 or later.\u003c/p\u003e\u003cbr\u003e"
                }
              ],
              "value": "Update to Logitech Options Plus version 1.70 or later."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "x_Electron",
            "x_Code Injection",
            "x_macOS"
          ],
          "title": "Insecure Electron Fuses in Logitech Options Plus Allowing Arbitrary Code Execution on macOS",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
        "assignerShortName": "Logitech",
        "cveId": "CVE-2024-8258",
        "datePublished": "2024-09-10T08:36:34.326Z",
        "dateReserved": "2024-08-28T08:47:03.078Z",
        "dateUpdated": "2024-09-10T13:56:50.325Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8011 (GCVE-0-2024-8011)

    Vulnerability from cvelistv5 – Published: 2024-08-25 11:44 – Updated: 2024-08-26 15:28
    VLAI
    Summary
    Logitech Options+ on MacOS prior 1.72 allows a local attacker to inject dynamic library within Options+ runtime and abuse permissions granted by the user to Options+ such as Camera.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    URL Tags
    https://www.hackerone.com permissions-required
    Impacted products
    Vendor Product Version
    Logitech Options+ Unaffected: 1.72.564177 (custom)
    Affected: 0 , ≤ 1.70.551909 (custom)
    Create a notification for this product.
    Date Public
    2024-08-20 10:00
    Credits
    ferdogan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8011",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-26T15:28:24.704754Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-26T15:28:33.495Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "MacOS"
              ],
              "product": "Options+",
              "vendor": "Logitech",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.72.564177",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.70.551909",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ferdogan"
            }
          ],
          "datePublic": "2024-08-20T10:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Logitech Options+ on MacOS prior 1.72 allows a local attacker to inject dynamic library within Options+ runtime and abuse permissions granted by the user to Options+ such as Camera.\u0026nbsp;"
                }
              ],
              "value": "Logitech Options+ on MacOS prior 1.72 allows a local attacker to inject dynamic library within Options+ runtime and abuse permissions granted by the user to Options+ such as Camera."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-122",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-122 Privilege Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 2,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-08-25T11:44:45.839Z",
            "orgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
            "shortName": "Logitech"
          },
          "references": [
            {
              "tags": [
                "permissions-required"
              ],
              "url": "https://www.hackerone.com"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
        "assignerShortName": "Logitech",
        "cveId": "CVE-2024-8011",
        "datePublished": "2024-08-25T11:44:45.839Z",
        "dateReserved": "2024-08-20T14:15:07.515Z",
        "dateUpdated": "2024-08-26T15:28:33.495Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-4031 (GCVE-0-2024-4031)

    Vulnerability from cvelistv5 – Published: 2024-04-23 06:29 – Updated: 2024-08-01 20:26
    VLAI
    Title
    MEVO WEBCAM APP Windows Unquoted Service Path Vulnerability
    Summary
    Unquoted Search Path or Element vulnerability in Logitech MEVO WEBCAM APP on Windows allows Local Execution of Code.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-428 - Unquoted Search Path or Element
    Assigner
    References
    Impacted products
    Vendor Product Version
    Logitech MEVO WEBCAM APP Affected: 0 , < 0.8.0 (custom)
    Create a notification for this product.
    logitech mevo_webcam_app Affected: -
        cpe:2.3:a:logitech:mevo_webcam_app:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Arun George Jose, Alaa Kachouh
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:logitech:mevo_webcam_app:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "mevo_webcam_app",
                "vendor": "logitech",
                "versions": [
                  {
                    "status": "affected",
                    "version": "-"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4031",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-23T13:56:22.229567Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:55:35.778Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:26:57.253Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cwe.mitre.org/data/definitions/428.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "MEVO WEBCAM APP",
              "vendor": "Logitech",
              "versions": [
                {
                  "lessThan": "0.8.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Arun George Jose, Alaa Kachouh"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Unquoted Search Path or Element vulnerability in Logitech MEVO WEBCAM APP on Windows allows Local Execution of Code."
                }
              ],
              "value": "Unquoted Search Path or Element vulnerability in Logitech MEVO WEBCAM APP on Windows allows Local Execution of Code."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-549",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-549 Local Execution of Code"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-428",
                  "description": "CWE-428 Unquoted Search Path or Element",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-23T08:37:56.500Z",
            "orgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
            "shortName": "Logitech"
          },
          "references": [
            {
              "url": "https://cwe.mitre.org/data/definitions/428.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "MEVO WEBCAM APP Windows Unquoted Service Path Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
        "assignerShortName": "Logitech",
        "cveId": "CVE-2024-4031",
        "datePublished": "2024-04-23T06:29:58.858Z",
        "dateReserved": "2024-04-22T15:40:56.836Z",
        "dateUpdated": "2024-08-01T20:26:57.253Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-2537 (GCVE-0-2024-2537)

    Vulnerability from cvelistv5 – Published: 2024-03-15 17:12 – Updated: 2024-08-01 19:18
    VLAI
    Title
    Electron Code Injection in Logi Tune macOS Application
    Summary
    Improper Control of Dynamically-Managed Code Resources vulnerability in Logitech Logi Tune on MacOS allows Local Code Inclusion.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-913 - Improper Control of Dynamically-Managed Code Resources
    Assigner
    References
    Impacted products
    Vendor Product Version
    Logitech Logi Tune Unaffected: 3.5.249
    Create a notification for this product.
    Credits
    Fatih ERDOGAN (ferdogan)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-2537",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-19T15:26:00.720634Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:30:25.031Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T19:18:46.975Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/2376663"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "MacOS"
              ],
              "product": "Logi Tune",
              "vendor": "Logitech",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "3.5.249"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Fatih ERDOGAN (ferdogan)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Logitech Logi Tune on MacOS allows Local Code Inclusion."
                }
              ],
              "value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Logitech Logi Tune on MacOS allows Local Code Inclusion."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-251",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-251 Local Code Inclusion"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-913",
                  "description": "CWE-913 Improper Control of Dynamically-Managed Code Resources",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-03-15T17:12:10.804Z",
            "orgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
            "shortName": "Logitech"
          },
          "references": [
            {
              "url": "https://hackerone.com/reports/2376663"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Electron Code Injection in Logi Tune macOS Application",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
        "assignerShortName": "Logitech",
        "cveId": "CVE-2024-2537",
        "datePublished": "2024-03-15T17:12:10.804Z",
        "dateReserved": "2024-03-15T16:56:21.392Z",
        "dateUpdated": "2024-08-01T19:18:46.975Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-0916 (GCVE-0-2022-0916)

    Vulnerability from cvelistv5 – Published: 2022-05-03 13:40 – Updated: 2024-09-17 02:26
    VLAI
    Title
    Broken authentication on Logitech Options due to misvalidation of Oauth state parameter
    Summary
    An issue was discovered in Logitech Options. The OAuth 2.0 state parameter was not properly validated. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    Logitech Options Affected: 9.60.87 , < 9.60.87 (custom)
    Create a notification for this product.
    Date Public
    2022-04-08 00:00
    Credits
    Karan Bamal
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:47:43.244Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://support.logi.com/hc/en-us/articles/360025297893"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "Windows"
              ],
              "product": "Options",
              "vendor": "Logitech",
              "versions": [
                {
                  "lessThan": "9.60.87",
                  "status": "affected",
                  "version": "9.60.87",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Karan Bamal"
            }
          ],
          "datePublic": "2022-04-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue was discovered in Logitech Options. The OAuth 2.0 state parameter was not properly validated. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-03T13:40:09.000Z",
            "orgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
            "shortName": "Logitech"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://support.logi.com/hc/en-us/articles/360025297893"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to Logitech Options 9.60.87"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Broken authentication on Logitech Options due to misvalidation of Oauth state parameter",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve-coordination@logitech.com",
              "DATE_PUBLIC": "2022-04-08T11:48:00.000Z",
              "ID": "CVE-2022-0916",
              "STATE": "PUBLIC",
              "TITLE": "Broken authentication on Logitech Options due to misvalidation of Oauth state parameter"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Options",
                          "version": {
                            "version_data": [
                              {
                                "platform": "Windows",
                                "version_affected": "\u003c",
                                "version_name": "9.60.87",
                                "version_value": "9.60.87"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Logitech"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Karan Bamal"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An issue was discovered in Logitech Options. The OAuth 2.0 state parameter was not properly validated. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-287 Improper Authentication"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.logi.com/hc/en-us/articles/360025297893",
                  "refsource": "MISC",
                  "url": "https://support.logi.com/hc/en-us/articles/360025297893"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to Logitech Options 9.60.87"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
        "assignerShortName": "Logitech",
        "cveId": "CVE-2022-0916",
        "datePublished": "2022-05-03T13:40:09.127Z",
        "dateReserved": "2022-03-10T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:26:48.928Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-0915 (GCVE-0-2022-0915)

    Vulnerability from cvelistv5 – Published: 2022-04-12 18:35 – Updated: 2024-09-16 18:35
    VLAI
    Title
    Logitech Sync desktop application prior to 2.4.574 - TOCTOU during installation leads to privelege escalation
    Summary
    There is a Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability in Logitech Sync for Windows prior to 2.4.574. Successful exploitation of these vulnerabilities may escalate the permission to the system user.
    CWE
    • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
    Assigner
    References
    Impacted products
    Vendor Product Version
    Logitech Sync Affected: prior to 2.4.574 , < 2.4.574 (custom)
    Create a notification for this product.
    Date Public
    2022-04-08 00:00
    Credits
    Karan Bamal
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:47:42.807Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://prosupport.logi.com/hc/en-us/articles/360040085114-Download-Logitech-Sync"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "Windows"
              ],
              "product": "Sync",
              "vendor": "Logitech",
              "versions": [
                {
                  "lessThan": "2.4.574",
                  "status": "affected",
                  "version": "prior to 2.4.574",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Karan Bamal"
            }
          ],
          "datePublic": "2022-04-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "There is a Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability in Logitech Sync for Windows prior to 2.4.574. Successful exploitation of these vulnerabilities may escalate the permission to the system user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-367",
                  "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-12T18:35:09.000Z",
            "orgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
            "shortName": "Logitech"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://prosupport.logi.com/hc/en-us/articles/360040085114-Download-Logitech-Sync"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to 2.4.574"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Logitech Sync desktop application prior to 2.4.574 - TOCTOU during installation leads to privelege escalation",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve-coordination@logitech.com",
              "DATE_PUBLIC": "2022-04-08T20:31:00.000Z",
              "ID": "CVE-2022-0915",
              "STATE": "PUBLIC",
              "TITLE": "Logitech Sync desktop application prior to 2.4.574 - TOCTOU during installation leads to privelege escalation"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Sync",
                          "version": {
                            "version_data": [
                              {
                                "platform": "Windows",
                                "version_affected": "\u003c",
                                "version_name": "prior to 2.4.574",
                                "version_value": "2.4.574"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Logitech"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Karan Bamal"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "There is a Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability in Logitech Sync for Windows prior to 2.4.574. Successful exploitation of these vulnerabilities may escalate the permission to the system user."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://prosupport.logi.com/hc/en-us/articles/360040085114-Download-Logitech-Sync",
                  "refsource": "MISC",
                  "url": "https://prosupport.logi.com/hc/en-us/articles/360040085114-Download-Logitech-Sync"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to 2.4.574"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
        "assignerShortName": "Logitech",
        "cveId": "CVE-2022-0915",
        "datePublished": "2022-04-12T18:35:09.413Z",
        "dateReserved": "2022-03-10T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:35:00.585Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }