CVE-2008-3433

SpeedBit Download Accelerator Plus (DAP) before 8.6.3.9 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.

Published: Aug 1, 2008
Updated: Apr 13, 2023
CVE: CVE-2008-3433
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-94

Affected Software
References

Software	From	Fixed in
speedbit / download_accelerator_plus	8.0	8.0.x
speedbit / download_accelerator_plus	8.5	8.5.x
speedbit / download_accelerator_plus	-	8.6.x
speedbit / download_accelerator_plus	8.1	8.1.x

http://archives.neohapsis.com/archives/bugtraq/2008-07/0250.html
http://www.infobyte.com.ar/down/Francisco%20Amato%20-%20evilgrade%20-%20ENG.pdf
http://www.infobyte.com.ar/down/isr-evilgrade-1.0.0.tar.gz

Vulnerability Database

289,871

CVE-2008-3433