CVE-2024-49360
CVSS 3.1 Score 9.2 of 10 (high)
Details
Summary
CVE-2024-49360 is a vulnerability affecting Sandboxie, a sandboxing software for Windows NT-based operating systems. It allows an authenticated user with no privileges to read files created by other users in the sandbox folders. An attacker outside the sandbox, with access to explorer.exe or cmd.exe, can exploit this vulnerability to read other users' files in the `C:\\Sandbox\\xxx` directory. This issue arises because files edited or created during sandbox processing are affected, contrasting the default Windows 7+ restriction on read access to the `C:\\Users\\UserA` folder for `UserB`. If `UserB` creates a malicious folder `C:\\Sandbox\\UserA` with incorrect ACLs, Sandboxie will not reset them, posing an additional security risk. The vulnerability remains unpatched, and users are advised to restrict access to their systems when using Sandboxie.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Sandboxie
Affected Vendors
- Sandboxie