CVE-2024-10668

Published Nov 7, 2024

Last updated 5 months ago

CVSS medium 5.9
Windows
Google Quick Share

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2024-10668 affects Google's Quick Share feature on Windows. It involves an authentication bypass that allows an attacker to send unauthorized files to a target device without the recipient's explicit approval. This vulnerability stems from the way Quick Share handles file transfers, specifically related to the processing of Payload Transfer frames. The vulnerability arises because Quick Share doesn't properly handle the deletion of unknown file types when two Payload Transfer frames of type FILE are sent with the same payload ID. The deletion logic only removes the first file, leaving the second one, which could be a malicious file, on the system. This can also be exploited to cause a denial-of-service (DoS) condition by using a filename that starts with an invalid UTF8 continuation byte. Google has addressed this vulnerability in Quick Share for Windows version 1.0.2002.2.

Description
There exists an auth bypass in Google Quickshare where an attacker can upload an unknown file type to a victim. The root cause of the vulnerability lies in the fact that when a Payload Transfer frame of type FILE is sent to Quick Share, the file that is contained in this frame is written to disk in the Downloads folder. Quickshare normally deletes unkown files, however an attacker can send two Payload transfer frames of type FILE and the same payload ID. The deletion logic will only delete the first file and not the second. We recommend upgrading past commit 5d8b9156e0c339d82d3dab0849187e8819ad92c0 or Quick Share Windows v1.0.2002.2
Source
cve-coordination@google.com
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
5.9
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:A/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:L/U:Green
Severity
MEDIUM

Weaknesses

cve-coordination@google.com
CWE-434

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

25

  1. CVE-2024-10668 : Auth bypass in Google Quickshare where an attacker can upload an unknown file type to a victim. Google Patches Quick Share Vulnerability Enabling Silent File Transfers Without Consent https://t.co/UgyYWIpPtz

    @freedomhack101

    4 Apr 2025

    14 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. A serious vulnerability (CVE-2024-10668) in Google Quick Share for Windows allows unauthorized file transfers and DoS attacks. Initial fixes weren't enough, leaving users at risk. ⚠️ #Google #Windows #Vulnerability link: https://t.co/n2zsUmr09Z https://t.co/HjyKyR2ahm

    @TweetThreatNews

    3 Apr 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 New Google Quick Share flaw exposed. 📌 CVE-2024-10668 Attackers could crash your PC or send files to it without approval via Quick Share for Windows. 🔗 Learn more: https://t.co/aYp0iiW96c

    @TheHackersNews

    3 Apr 2025

    11216 Impressions

    47 Retweets

    79 Likes

    14 Bookmarks

    0 Replies

    0 Quotes

References