Security Updates

Hotspot Shield for Windows

Versions affected: Hotspot shield for Windows 7.10 and earlier

Impact: An internal audit discovered all versions of Hotspot Shield for Windows < 7.10 contain a vulnerability that leads to information disclosure when a user visits a specific vulnerable domain. The issue was fixed by removing special treatment of these domains.

This vulnerability has been assigned the CVE-2018-17241

Entry added: September, 20, 2018


 

Betternet for Windows

Versions affected: Betternet for Windows <= 4.1.0.0

Impact: A vulnerability was reported in the Betternet for Windows installer that lead to arbitrary code execution provided a DLL planting attack that had already succeeded.

This vulnerability has been assigned CVE-2018-12269

Entry added: June 13, 2018


 

Hotspot Shield Chrome Extension

Versions affected: Hotspot Shield Chrome extension <= 3.2.14

Impact: A vulnerability was reported in the way the Chrome extension was resolving domains that lead to leaking the user's IP address under specific conditions.

This vulnerability has been assigned CVE-2018-7878

Entry added: March 12, 2018


 

Hotspot Shield Chrome Extension

Version affected: Hotspot Shield Chrome extension <= 3.2.14

Impact: A vulnerability was reported in the whitelist present in the PAC script.

If a user visited a website that hosted a URL with a specific query parameter, the extension would then start proxying traffic to that URL, leading to a traffic hijack.

This vulnerability has been assigned CVE-2018-7879

Entry added: March 12, 2018


 

Hotspot Shield Chrome Extension

Versions affected: Hotspot Shield Chrome extension <= 3.2.14

Impact: A vulnerability was reported in the whitelist present in the PAC script.

If a user visited a specially crafted page, the request would bypass the VPN and the user's real IP address would be visible.

This vulnerability has been assigned CVE-2018-7880

Entry added: March 12, 2018


 

AnchorFree OpenVPN SDK

Versions affected: AnchorFree OpenVPN SDK v1.3.3.218

Impact: An issue was discovered in AnchorFree OpenVPN SDK before v1.3.3.218. The VPN SDK service takes certain executable locations over a socket bound to localhost. A malicious entity binding to the socket and providing a path where a malicious executable file resides leads to executing the malicious executable file with SYSTEM privileges.

This vulnerability has been assigned CVE-2020-12828

Entry added: March 13, 2020