Description
An exploitable local privilege escalation vulnerability exists in the GalaxyClientService installed by GOG Galaxy. Due to Improper Access Control, an attacker can send unauthenticated local TCP packets to the service to gain SYSTEM privileges in Windows system where GOG Galaxy software is installed. All GOG Galaxy versions before 1.2.60 and all corresponding versions of GOG Galaxy 2.0 Beta are affected.
Exploits (1)
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://support.gog.com/hc/en-us/articles/360025458833-GOG-GALAXY-2-0-updates-and-known-issues
Third Party Advisory, Vendor Advisory x_refsource_misc
https://cqureacademy.com/cqure-labs/cqlabs-cve-2019-15511-broken-access-control-in-gog-galaxy
Scores
CVSS v3
7.8
EPSS
0.0053
EPSS Percentile
67.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-306
Status
published
Products (1)
gog/galaxy
< 1.2.60
Published
Nov 21, 2019
Tracked Since
Feb 18, 2026