CVE-2024-37391

HIGH

ProtonVPN < 3.2.10 - OS Command Injection via Drive Installer Path

Title source: llm

Description

ProtonVPN before 3.2.10 on Windows mishandles the drive installer path, which should use this: '"' + ExpandConstant('{autopf}\Proton\Drive') + '"' in Setup/setup.iss.

References (2)

Core 2

Core References

Patch

https://github.com/ProtonVPN/win-app/commit/2e4e25036842aaf48838c6a59f14671b86c20aa7

View Patch ZIP pw:eip

Patch

https://github.com/ProtonVPN/win-app/compare/3.2.9...3.2.10

Scores

CVSS v3 7.8

EPSS 0.0031

EPSS Percentile 22.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-78

Status published

Products (1)

proton/protonvpn < 3.2.10

Published Jul 22, 2024

Tracked Since Feb 18, 2026