| CVE ID | CVE-2024-5924 |
| CVSS SCORE | 8.8, AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| AFFECTED VENDORS |
Dropbox |
| AFFECTED PRODUCTS |
Dropbox Desktop |
| VULNERABILITY DETAILS |
This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of Dropbox Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of shared folders. When syncing files from a shared folder belonging to an untrusted account, the Dropbox desktop application does not apply the Mark-of-the-Web to the local files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. |
| ADDITIONAL DETAILS |
06/05/24 – ZDI reported the vulnerability to the vendor. 06/06/24 – The vendor acknowledged the report. 06/10/24 – The vendor states the vulnerability about Mark-of-the-Web is out of scope for their bug bounty program. 06/11/24 – ZDI acknowledged their rejection and informed the vendor that we’re publishing this case as a zero-day advisory on 6/13/24 in accordance with our disclosure policy. -- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application. |
| DISCLOSURE TIMELINE |
|
| CREDIT | Peter Girnus (@gothburz) |
