Lucene search

MitreCVE-2016-10894

HistoryAug 16, 2019 - 3:15 a.m.

CVE-2016-10894

2019-08-1603:15:11

CWE-254

mitre

web.nvd.nist.gov

120

xtrlock

unauthorized input

cve-2016-10894

security vulnerability

multitouch events

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

CVSS3

4.6

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

4.5

Confidence

High

EPSS

0.001

Percentile

34.6%

JSON

xtrlock through 2.10 does not block multitouch events. Consequently, an attacker at a locked screen can send input to (and thus control) various programs such as Chromium via events such as pan scrolling, “pinch and zoom” gestures, or even regular mouse clicks (by depressing the touchpad once and then clicking with a different finger).

Affected configurations

Nvd

Node

xtrlock_projectxtrlockRange≤2.10

Node

debiandebian_linuxMatch8.0

VendorProductVersionCPE
xtrlock_projectxtrlock*cpe:2.3:a:xtrlock_project:xtrlock:*:*:*:*:*:*:*:*
debiandebian_linux8.0cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*