Summaryinfo

A vulnerability described as critical has been identified in TimeDoctor Pro 1.4.72.3 on Windows. Impacted is an unknown function of the component Autoupdate. Such manipulation leads to data authenticity. This vulnerability is listed as CVE-2015-4674. There is no available exploit.

Detailsinfo

A vulnerability was found in TimeDoctor Pro 1.4.72.3 on Windows and classified as critical. Affected by this issue is an unknown code block of the component Autoupdate. The manipulation with an unknown input leads to a data authenticity vulnerability. Using CWE to declare the problem leads to CWE-345. The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. Impacted is confidentiality, integrity, and availability. CVE summarizes:

The autoupdate implementation in TimeDoctor Pro 1.4.72.3 on Windows relies on unsigned installer files that are retrieved without use of SSL, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted file.

The weakness was presented 08/07/2015 (Website). The advisory is shared for download at seclists.org. This vulnerability is handled as CVE-2015-4674 since 06/19/2015. The exploitation is known to be difficult. The attack may be launched remotely. No form of authentication is required for exploitation. There are neither technical details nor an exploit publicly available.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 75572†). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Name

• TimeDoctor Pro

Version

• 1.4.72.3

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion