How severe is CVE-2018-10204?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.8 out of 10.

What type of vulnerability is CVE-2018-10204?

This is classified as CWE-732, which is a common weakness in software security.

CVE-2018-10204 - HIGH Severity | CVSS 8.8

Vulnerability Description

PureVPN 6.0.1 for Windows suffers from a SYSTEM privilege escalation vulnerability in its "sevpnclient" service. When configured to use the OpenVPN protocol, the "sevpnclient" service executes "openvpn.exe" using the OpenVPN config file located at %PROGRAMDATA%\purevpn\config\config.ovpn. This file allows "Write" permissions to users in the "Everyone" group. An authenticated attacker may modify this file to specify a dynamic library plugin that should run for every new VPN connection attempt. This plugin will execute code in the context of the SYSTEM account.

Related Vulnerabilities

CVE-2007-6033

HIGH

CVSS:8.8(High)

Invensys Wonderware InTouch 8.0 creates a NetDDE share with insecure permissions (Everyone/Full Control), which allows remote authenticated attackers, and possibly anonymous users, to execute arbitrar...

CWE-7322007

CVE-2017-0311

HIGH

CVSS:8.8(High)

NVIDIA GPU Display Driver R378 contains a vulnerability in the kernel mode layer handler where improper access control may lead to denial of service or possible escalation of privileges.

CWE-7322017

CVE-2017-0784

HIGH

CVSS:8.8(High)

A elevation of privilege vulnerability in the Android system (nfc). Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37287958.

CWE-7322017

CVE-2017-1000022

HIGH

CVSS:8.8(High)

LogicalDoc Community Edition 7.5.3 and prior contain an Incorrect access control which could leave to privilege escalation.

CWE-7322017

CVE-2017-1000096

HIGH

CVSS:8.8(High)

Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and c...

CWE-7322017

CVE-2017-1000403

HIGH

CVSS:8.8(High)

Jenkins Speaks! Plugin, all current versions, allows users with Job/Configure permission to run arbitrary Groovy code inside the Jenkins JVM, effectively elevating privileges to Overall/Run Scripts.

CWE-7322017