Cyber Security News

Notepad++ Input Validation Flaws Leads to uncontrolled Search Path Vulnerability

Notepad++ has been discovered with an uncontrolled search path vulnerability, which could allow threat actors to search an untrusted search path. This vulnerability has been disclosed to Notepad++, and a patch has yet to be provided.

Notepad++ is a simple text editor for Windows with many more capabilities and can be used to open or edit code files written in other programming languages. Multiple vulnerabilities in Notepad++ were previously reported in August 2023.

CVE-2023-6401: Uncontrolled Search Path in Notepad++

This vulnerability exists in an unknown functionality of the file dbghelp.exe, which a threat actor can manipulate to search an untrusted path.

This vulnerability has been categorized under “Hijack Execution Flow” by the MITRE framework. 

Document
Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Notepad++ utilizes a predetermined search path to locate its resources. However, this search path can be exploited by threat actors to compromise the Confidentiality, Integrity, and Availability (CIA) triad of the system.

Attackers can target one or more locations in the specified path and gain unauthorized access to the resources.

Products affected by this vulnerability include Notepad++ versions before 8.1.

Notepad++ is yet to publish a fix and a security advisory for this report.

There has been no evidence of exploitation of this vulnerability by threat actors. The severity for this vulnerability has been given as 5.3 (Medium) by VulDB. 

No other additional information about this vulnerability has been reported, nor has a publicly available exploit been found.

To know more about this vulnerability, VulDB has published a report providing additional information.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Rajashekar Yasani

Rajashekar Yasani is a seasoned Cloud Security Engineer with extensive experience in cybersecurity research. As a security researcher, Rajashekar shares practical insights to help organizations enhance their security posture in an ever-evolving digital landscape.

Recent Posts

TikTok Stopped Working for US Users, Removed from Apple & Google stores

TikTok, the popular video-sharing app, has been banned in the United States and removed from…

5 hours ago

MITRE Launches D3FEND 1.0 to Standardize Cybersecurity Techniques for Countering Threats

MITRE has officially released D3FEND™ 1.0, a groundbreaking cybersecurity ontology designed to standardize the vocabulary…

23 hours ago

PoC Exploit Released for Palo Alto Expedition Tool OS Command Injection Vulnerability

A recently disclosed vulnerability in Palo Alto Networks' Expedition tool has raised significant security concerns,…

1 day ago

FlowerStorm “Phishing-as-a-Service” Attacking Microsoft Users With Fake Login Pages

FlowerStorm is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms. Phishing…

1 day ago

Hackers Abusing Microsoft VSCode Remote Tunnels To Bypass Security Tools

VSCode Remote Tunnels, a legitimate feature of the popular development environment, are increasingly being used…

1 day ago

AWS Patches Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has recently addressed two critical security vulnerabilities affecting its popular cloud-based…

2 days ago