CVSSv3.1 Range: 6.3 (Medium)
Issue Date: 2021-03-03
Updated On: 2021-03-03 (Initial Advisory)
Synopsis: Dependency call on UpSlide Monitoring Service could lead to potential code execution.
UpSlide Add-In: Version 18.104.22.168 to 22.214.171.124
Known Attack Vectors
Successful exploitation of this issue may allow an attacker to gain privileged access to the computer running code as a Windows Service.
This issue has been fixed in v6.6.18. Don't hesitate to get in touch with your account manager, and they will provide you with a new version of UpSlide.
In the meantime, you can mitigate the vulnerability by restricting UpSlideService folder rights using the following command lines:
icacls "UpSlideInstallationPath\UpSlideService" /inheritance:d
icacls "UpSlideInstallationPath\UpSlideService" /remove:g *S-1-5-32-545 /T
icacls "UpSlideInstallationPath\UpSlideService" /grant:r *S-1-5-32-545:(OI)(CI)R /grant:r *S-1-5-32-544:(OI)(CI)F /grant:r SYSTEM:(OI)(CI)F /T
Fix introduced in
UpSlide Add-In: Version 126.96.36.199 was released on February 10th, 2021.
2021-03-03 UPS-2021-001: Initial Security Advisory
If you have any questions regarding this vulnerability, please contact UpSlide support via email firstname.lastname@example.org.
If you want to report a vulnerability on UpSlide products, please contact email@example.com.