Wiz
Vulnerability DatabaseCVE-2021-37446

CVE-2021-37446
NixOS vulnerability analysis and mitigation

Overview

In NCH Quorum v2.03 and earlier, an authenticated user can exploit a directory traversal vulnerability via logprop?file=/.. for file reading (CISA Bulletin). The vulnerability was discovered on July 25, 2021, affecting the NCH Quorum conference server software.

Technical details

The vulnerability allows authenticated users to perform directory traversal attacks through multiple vectors in the application. The attack can be executed via endpoints like 'logprop?file=/..' which permits unauthorized file reading through path traversal. The vulnerability has not yet been assigned a CVSS score (CISA Bulletin).

Impact

The vulnerability enables authenticated attackers to view or delete any file on the remote system via path traversals in separate functions. This access is dependent on the running context of the application. Additionally, attackers can potentially access credential files of other NCH applications typically stored in \ProgramData\NCH Software\ (GitHub POC).

Mitigation and workarounds

NCH Software has marked Quorum as a legacy program that is no longer supported. The vendor explicitly warns that the person setup as admin on this program can have access to files on the system (NCH Software).

Additional resources

SourceThis report was generated using AI

Related NixOS vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-14330CRITICAL9.8
  • NixOSNixOS
  • cpe:2.3:a:mozilla:firefox_esr
NoYesDec 09, 2025
CVE-2025-14329HIGH8.8
  • NixOSNixOS
  • cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
NoYesDec 09, 2025
CVE-2025-14333HIGH8.1
  • NixOSNixOS
  • firefox
NoYesDec 09, 2025
CVE-2025-14332HIGH7.3
  • NixOSNixOS
  • firefox
NoYesDec 09, 2025
CVE-2025-14331MEDIUM6.5
  • NixOSNixOS
  • firefox
NoYesDec 09, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo