Skip to content

In the Quick Access Service (QAAdminAgent.exe) in Acer...

Moderate severity Unreviewed Published May 24, 2022 to the GitHub Advisory Database • Updated Jan 29, 2023

Package

No package listedSuggest a package

Affected versions

Unknown

Patched versions

Unknown

Description

In the Quick Access Service (QAAdminAgent.exe) in Acer Quick Access V2.01.3000 through 2.01.3027 and V3.00.3000 through V3.00.3008, a REGULAR user can load an arbitrary unsigned DLL into the signed service's process, which is running as NT AUTHORITY\SYSTEM. This is a DLL Hijacking vulnerability (including search order hijacking, which searches for the missing DLL in the PATH environment variable), which is caused by an uncontrolled search path element for nvapi.dll, atiadlxx.dll, or atiadlxy.dll.

References

Published by the National Vulnerability Database Dec 17, 2019
Published to the GitHub Advisory Database May 24, 2022
Last updated Jan 29, 2023

Severity

Moderate

EPSS score

0.096%
(42nd percentile)

Weaknesses

CVE ID

CVE-2019-18670

GHSA ID

GHSA-mr9m-2xh2-j9pw

Source code

No known source code

Dependabot alerts are not supported on this advisory because it does not have a package from a supported ecosystem with an affected and fixed version.

Learn more about GitHub language support

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.