CVE-2019-25318

Description

AVS Audio Converter 9.1.2.600 contains a stack overflow vulnerability that allows attackers to execute arbitrary code by manipulating the output folder text input. Attackers can craft a malicious payload that overwrites stack memory and triggers a bind shell on port 9999 when the 'Browse' button is clicked.

CVSS breakdown

CVSS 4.0

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

Active

Confidentiality (Vulnerable System)

High

Integrity (Vulnerable System)

High

Availability (Vulnerable System)

High

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

AVS4YOU / AVS Audio Converter9.1.2.600 – 9.1.2.600

References

EXPLOIThttps://www.exploit-db.com/exploits/47810
MISChttp://www.avs4you.com/
EXPLOIThttps://www.exploit-db.com/exploits/47788
VENDOR_ADVISORYhttps://www.vulncheck.com/advisories/avs-audio-converter-stack-overflow