CVE-2019-12162

HIGH

Upwork Time Tracker <5.2.2.716 - Code Injection

Title source: llm
STIX 2.1

Description

Upwork Time Tracker 5.2.2.716 doesn't verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the original update.exe.

References (2)

Core 2
Core References
Product, Vendor Advisory x_refsource_misc
https://support.upwork.com/hc/en-us/categories/360001180954
Third Party Advisory x_refsource_misc
https://vuldb.com/?id.138406

Scores

CVSS v3 7.8
EPSS 0.0026
EPSS Percentile 17.0%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-494
Status published
Products (1)
upwork/time_tracker 5.2.2.716
Published Jul 23, 2019
Tracked Since Feb 18, 2026