CVE-2023-51772
First published: Mon Dec 25 2023(Updated: )
One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape sequence is: wait for a session timeout, click on the Help icon, observe that there is a browser window for the One Identity website, navigate to any website that offers file upload, navigate to cmd.exe from the file explorer window, and launch cmd.exe as NT AUTHORITY\SYSTEM.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| <5.13.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/type
- agent/references
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/description
- agent/author
- agent/weakness
- agent/event
- agent/severity
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/oneidentity
- canonical/oneidentity password manager