CVE-2012-5003

No Machine NX Web Companion <3 - RCE

Title source: llm

Description

nxapplet.jar in No Machine NX Web Companion 3.x and earlier does not properly verify the authenticity of updates, which allows user-assisted remote attackers to execute arbitrary code via a crafted (1) SiteUrl or (2) RedirectUrl parameter that points to a Trojan Horse client.zip update file.

References (4)

[Third Party Advisory] http://archives.neohapsis.com/archives/bugtraq/2012-01/0161.html

[Third Party Advisory] http://archives.neohapsis.com/archives/fulldisclosure/2012-01/0466.html

[Vendor Advisory] http://secunia.com/advisories/47685

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/72712

Scores

EPSS 0.0147

EPSS Percentile 80.7%

Classification

CWE

CWE-287

Status draft

Affected Products (18)

nomachine/nx_web_companion < 3.5.0-2

nomachine/nx_web_companion

nomachine/nx_web_companion

nomachine/nx_web_companion

nomachine/nx_web_companion

nomachine/nx_web_companion

nomachine/nx_web_companion

nomachine/nx_web_companion

nomachine/nx_web_companion

nomachine/nx_web_companion

nomachine/nx_web_companion

nomachine/nx_web_companion

nomachine/nx_web_companion

nomachine/nx_web_companion

nomachine/nx_web_companion

... and 3 more

Timeline

Published Sep 19, 2012

Tracked Since Feb 18, 2026