CVE-2019-13518

Vulnerability

EZ Touch Editor versions 2.1.0 and prior contain a stack-based buffer overflow (CWE-121) [1]. An attacker can trigger this by supplying a specially crafted project file, which overflows the buffer and allows code execution under the application's privileges [1]. The vulnerability is assigned CVE-2019-13518 with a CVSS v3 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) [1].

Exploitation

Exploitation requires low skill [1]. The attacker needs only a crafted project file and user interaction (opening the file) [1]. No special network position or authentication is needed; the attack is local [1]. The sequence is: deliver the malicious file to the victim, who opens it in EZ Touch Editor, causing the buffer overflow and code execution [1].

Impact

Successful exploitation allows arbitrary code execution under the privileges of the application [1]. This can lead to full compromise of the affected system, with high impact on confidentiality, integrity, and availability [1].

Mitigation

EZAutomation recommends updating to version 2.2.0 or later [1]. As a workaround, use project files only from known sources [1]. CISA also advises avoiding unsolicited email links/attachments and following social engineering prevention practices [1]. No further mitigations are disclosed in the available references [1].