Bitdefender Safepay 23.0.10.34 Remote Code Execution Vulnerability

Summary

Bitdefender Safepay is prone to a remote code-execution vulnerability.This allows a remote attacker to exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts may result in a denial-of-service condition.

Credit:

The information has been provided by Juho Nurminen

The original article can be found at: https://www.bitdefender.com/support/security-advisories/bitdefender-safepay-exec-command-injection-remote-code-execution-vulnerability/


Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Bitdefender SafePay 23.0.10.34. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of tiscript. When processing the System.Exec method the application does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current process.

Vulnerable Systems:

  • Bitdefender Safepay 23.0.10.34

CVE Information:

CVE-2019-6736

Disclosure Timeline:
Publish Date:06/03/2019