Description
LiveCode v9.6.1 on Windows allows local, low-privileged users to gain privileges by creating a malicious "cmd.exe" in the folder of the vulnerable LiveCode application. If the application is using LiveCode's "shell()" function, it will attempt to search for "cmd.exe" in the folder of the current application and run the malicious "cmd.exe".
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://john-woodman.com/posts/LiveCode-Privilege-Escalation-Vulnerability/
Third Party Advisory x_refsource_misc
https://quality.livecode.com/show_bug.cgi?id=22942
Vendor Advisory x_refsource_misc
https://github.com/livecode/livecode/pull/7454
Scores
CVSS v3
7.8
EPSS
0.0043
EPSS Percentile
34.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-427
Status
published
Products (1)
faulknermedia/wildlife_issues_in_the_new_millennium
18.0.160
Published
Oct 08, 2020
Tracked Since
Feb 18, 2026