Detections
Analytics

CVE-2020-15261

medium

Description

On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administrative privileges, this vulnerability is only dangerous in anyway unsafe setups. The problem has been fixed in version 4.4.2. As a workaround, the exploitation of the vulnerability can be prevented by revoking administrative privileges from all potentially untrustworthy users.

References

https://github.com/veyon/veyon/security/advisories/GHSA-c8cc-x786-hqqp

https://github.com/veyon/veyon/issues/657

https://github.com/veyon/veyon/commit/f231ec511b9a09f43f49b2c7bb7c60b8046276b1

https://www.exploit-db.com/exploits/49925

https://www.exploit-db.com/exploits/48246

http://packetstormsecurity.com/files/162873/Veyon-4.4.1-Unquoted-Service-Path.html

Details

Source: Mitre, NVD

Published: 2020-10-19

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 7.2

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 6.7

Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Severity: Medium

EPSS

EPSS: 0.08381