CVE-2019-3999 (insync Client) Fixed
The inSync Electron application is configured in such a way that a malicious local user can execute arbitrary NodeJS code in the context of theinSync client process. An attacker can accomplish this by launching inSync with a URL parameter pointing to an attacker-controlled HTML file containingNodeJS code.
CVE-2019-3999 (insync client)
Druva inSync client for Windows exposes a network service onTCP port 6064 on the local network interface. inSyncversions 6.6.3 and prior do not properly validateuser-supplied program paths in RPC type 5 messages, allowingexecution of arbitrary commands as SYSTEM. This module hasbeen tested successfully on inSync versions 6.5.2r99097 and6.6.3r102156 on Windows 7 SP1 (x64).
Druva inSync client for Windows exposes a network service on TCPport 6064 on the local network interface. inSync versions 6.6.3and prior do not properly validate user-supplied program pathsin RPC type 5 messages, allowing execution of arbitrary commandsas SYSTEM. 350c69d7ab