VYPR
Vendor

KioWare

Products
2
CVEs
7
Across products
11
Status
Private

Products

2

Recent CVEs

7
  • CVE-2024-3459HigMay 14, 2024
    risk 0.55cvss 8.4epss 0.00

    KioWare for Windows (versions all through 8.34) allows to escape the environment by downloading PDF files, which then by default are opened in an external PDF viewer. By using built-in functions of that viewer it is possible to launch a web browser, search through local files…

  • CVE-2018-18435HigMar 21, 2019
    risk 0.54cvss 7.8epss 0.01

    KioWare Server version 4.9.6 and older installs by default to "C:\kioware_com" with weak folder permissions granting any user full permission "Everyone: (F)" to the contents of the directory and it's sub-folders. In addition, the program installs a service called "KWSService"…

  • CVE-2023-34642HigJun 19, 2023
    risk 0.51cvss 7.8epss 0.00

    KioWare for Windows through v8.33 was discovered to contain an incomplete blacklist filter for blocked dialog boxes on Windows 10. This issue can allow attackers to open a file dialog box via the function showDirectoryPicker() which can then be used to open an unprivileged…

  • CVE-2023-34641HigJun 19, 2023
    risk 0.51cvss 7.8epss 0.00

    KioWare for Windows through v8.33 was discovered to contain an incomplete blacklist filter for blocked dialog boxes on Windows 10. This issue can allow attackers to open a file dialog box via the function window.print() which can then be used to open an unprivileged command…

  • CVE-2024-3460HigMay 14, 2024
    risk 0.48cvss 7.4epss 0.00

    In KioWare for Windows (versions all through 8.34) it is possible to exit this software and use other already opened applications utilizing a short time window before the forced automatic logout occurs. Then, by using some built-in function of these applications, one may…

  • CVE-2024-3461MedMay 14, 2024
    risk 0.40cvss 6.2epss 0.00

    KioWare for Windows (versions all through 8.35) allows to brute force the PIN number, which protects the application from being closed, as there are no mechanisms preventing a user from excessively guessing the number.

  • CVE-2022-44875MedMar 6, 2023
    risk 0.35cvss 5.4epss 0.01

    KioWare through 8.33 on Windows sets KioScriptingUrlACL.AclActions.AllowHigh for the about:blank origin, which allows attackers to obtain SYSTEM access via KioUtils.Execute in JavaScript code.