CVE-2024-49360

Date: November 29, 2024

Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. An authenticated user (UserA) with no privileges is authorized to read all files created in sandbox belonging to other users in the sandbox folders "C:\Sandbox\UserB\xxx". An authenticated attacker who can use "explorer.exe" or "cmd.exe" outside any sandbox can read other users' files in "C:\Sandbox\xxx". By default in Windows 7+, the "C:\Users\UserA" folder is not readable by UserB. All files edited or created during the sandbox processing are affected by the vulnerability. All files in C:\Users are safe. If "UserB" runs a cmd in a sandbox, he will be able to access "C:\Sandox\UserA". In addition, if UserB create a folder "C:\Sandbox\UserA" with malicious ACLs, when UserA will user the sandbox, Sandboxie doesn't reset ACLs ! This issue has not yet been fixed. Users are advised to limit access to their systems using Sandboxie.

Language: C++