Description

The Windows installer for PostgreSQL 9.5 - 12 invokes system-provided executables that do not have fully-qualified paths. Executables in the directory where the installer loads or the current working directory take precedence over the intended executables. An attacker having permission to add files into one of those directories can use this to execute arbitrary code with the installer's administrative rights.

Remediation

References

CVE-2020-10733

Related Vulnerabilities

WordPress Plugin SyntaxHighlighter Evolved Cross-Site Scripting (3.1.5)

IBM RTC Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-20504)

XWiki Improper Encoding or Escaping of Output Vulnerability (CVE-2022-36099)

WordPress Plugin Uncanny Toolkit for LearnDash Cross-Site Request Forgery (3.6.3)

WordPress Permissions, Privileges, and Access Controls Vulnerability (CVE-2007-1893)

Severity

High

Classification

CVE-2020-10733 CWE-426 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities