This vulnerability allows local privileged users to elevate their privileges on affected systems to system level. In other words, a malicious user who has privileges to print process on an affected system can execute arbitrary code as SYSTEM. This is an elevation of privilege vulnerability because it allows a user with lower privilege level to gain access to system level privileges. This is a cross site scripting vulnerability due to the fact that the vulnerable code does not properly sanitize user input. An attacker can inject malicious code into the user interface of the victim’s browser if they are logged on to the affected system. This might lead to cross site scripting attacks. This is a cross site request forgery vulnerability due to the fact that the vulnerable code does not validate the request of the user. An attacker can craft a request to launch system level code as SYSTEM. This might lead to a cross site request forgery attack. This is a vulnerability in the application’s configuration. This might lead to an information disclosure attack. An attacker can craft a request to launch system level code as SYSTEM. This might lead to an information disclosure attack. An attacker can craft a request to launch system level code as SYSTEM. This might lead to a cross site scripting attack. This is a vulnerability in the application’s configuration. This might lead to an information disclosure attack

Vulnerable code example

Vulnerability Scenario

A malicious user has the privileges to print process on an affected system.
An attacker would use this vulnerability to exploit a cross site scripting attack, which could lead to a remote code execution vulnerability.
An attacker would use this vulnerability to exploit an information disclosure attack, which could lead to remote code execution.

References:

- CVE-2022-21997
This vulnerability allows local privileged users to elevate their privileges on affected systems to system level. In other words, a malicious user who has privileges to print process on an affected system can execute arbitrary code as SYSTEM. This is an elevation of privilege vulnerability because it allows a user with lower privilege level to gain access to system level privileges. This is a cross site scripting vulnerability due to the fact that the vulnerable code does not properly sanitize user input. An attacker can inject malicious code into the user interface of the victim’s browser if they are logged on to the affected system. This might lead to cross site scripting attacks. This is a cross site request forgery vulnerability due to the fact that the vulnerable code does not validate the request of the user. An attacker can craft a request to launch system level code as SYSTEM. This might lead to a cross site request forgery attack. This is a vulnerability in the application’s configuration. This might lead to an information disclosure attack. An attacker can craft a request to launch system level code as SYSTEM. This might lead to an information disclosure attack.

Timeline

Published on: 02/09/2022 17:15:00 UTC
Last modified on: 05/23/2022 17:29:00 UTC

References