CVE-2024-49360
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-49360
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49360.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-49360
- Aliases
-
- GHSA-4chj-3c28-gvmp
- Published
- 2024-11-29T18:15:09Z
- Modified
- 2025-08-04T18:50:16.091354Z
- Severity
-
- 8.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. An authenticated user (UserA) with no privileges is authorized to read all files created in sandbox belonging to other users in the sandbox folders
C:\Sandbox\UserB\xxx. An authenticated attacker who can useexplorer.exeorcmd.exeoutside any sandbox can read other users' files inC:\Sandbox\xxx. By default in Windows 7+, theC:\Users\UserAfolder is not readable by UserB. All files edited or created during the sandbox processing are affected by the vulnerability. All files in C:\Users are safe. IfUserBruns a cmd in a sandbox, he will be able to accessC:\Sandox\UserA. In addition, if UserB create a folderC:\Sandbox\UserAwith malicious ACLs, when UserA will user the sandbox, Sandboxie doesn't reset ACLs ! This issue has not yet been fixed. Users are advised to limit access to their systems using Sandboxie. - References
Affected packages
Git / github.com/sandboxie-plus/sandboxie
Affected ranges
- Type
- GIT
- Repo
- https://github.com/sandboxie-plus/sandboxie
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed