Google Quickshare Auth Bypass via File Upload
CVE-2024-10668 Published on November 7, 2024
Auth Bypass in Quickshare
There exists an auth bypass in Google Quickshare where an attacker can upload an unknown file type to a victim. The root cause of the vulnerability lies in the fact that when a Payload Transfer frame of type FILE is sent to Quick Share, the file that is contained in this frame is written to disk in the Downloads folder. Quickshare normally deletes unkown files, however an attacker can send two Payload transfer frames of type FILE and the same payload ID. The deletion logic will only delete the first file and not the second. We recommend upgrading past commit 5d8b9156e0c339d82d3dab0849187e8819ad92c0 or Quick Share Windows v1.0.2002.2
Weakness Type
What is an Unrestricted File Upload Vulnerability?
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
CVE-2024-10668 has been classified to as an Unrestricted File Upload vulnerability or weakness.
Products Associated with CVE-2024-10668
Want to know whenever a new CVE is published for Google Quick Share? stack.watch will email you.
Affected Versions
Google Nearby:- Before 5d8b9156e0c339d82d3dab0849187e8819ad92c0 is affected.
- Before 1.0.2002.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.