CVE-2016-10663
CVE-2016-10663
In short
The wixtoolset Node module downloads binary files over unencrypted HTTP instead of secure HTTPS, allowing attackers on the network to intercept and replace those files with malicious versions, potentially giving them full control of the affected computer.
Technical detail
wixtoolset downloads binary resources over HTTP without encryption, creating a man-in-the-middle (MITM) vulnerability. An attacker positioned on the network path can intercept the HTTP traffic and replace legitimate binaries with malicious ones, achieving remote code execution with the privileges of the Node process. No authentication or special preconditions are required beyond network access.
Summary generated and translated by AI from the official description.
wixtoolset is a Node module wrapper around the wixtoolset binaries wixtoolset downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Affected products
HackerOne · wixtoolset node moduleWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →