Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. An authenticated user (**UserA**) with no privileges is authorized to read all files created in sandbox belonging to other users in the sandbox folders `C:\Sandbox\UserB\xxx`. An authenticated attacker who can use `explorer.exe` or `cmd.exe` outside any sandbox can read other users' files in `C:\Sandbox\xxx`. By default in Windows 7+, the `C:\Users\UserA` folder is not readable by **UserB**.
All files edited or created during the sandbox processing are affected by the vulnerability. All files in C:\Users are safe. If `UserB` runs a cmd in a sandbox, he will be able to access `C:\Sandox\UserA`. In addition, if **UserB** create a folder `C:\Sandbox\UserA` with malicious ACLs, when **UserA** will user the sandbox, Sandboxie doesn't reset ACLs ! This issue has not yet been fixed. Users are advised to limit access to their systems using Sandboxie.
References
Link | Resource |
---|---|
https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-4chj-3c28-gvmp | Exploit Vendor Advisory Mitigation |
Configurations
Configuration 1 (hide)
|
History
04 Aug 2025, 17:25
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:sandboxie:sandboxie:5.69.6:*:*:*:*:*:*:* |
cpe:2.3:a:sandboxie-plus:sandboxie:*:*:*:*:classic:*:*:* cpe:2.3:a:sandboxie-plus:sandboxie:*:*:*:*:plus:*:*:* |
References | () https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-4chj-3c28-gvmp - Exploit, Vendor Advisory, Mitigation | |
First Time |
Sandboxie-plus
Sandboxie-plus sandboxie |
01 Aug 2025, 20:28
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
|
First Time |
Sandboxie sandboxie
Sandboxie |
|
References | () https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-4chj-3c28-gvmp - Vendor Advisory, Exploit | |
CPE | cpe:2.3:a:sandboxie:sandboxie:*:*:*:*:*:*:*:* cpe:2.3:a:sandboxie:sandboxie:5.69.6:*:*:*:*:*:*:* |
29 Nov 2024, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-11-29 18:15
Updated : 2025-08-04 17:25
NVD link : CVE-2024-49360
Mitre link : CVE-2024-49360
CVE.ORG link : CVE-2024-49360
JSON object : View
Products Affected
sandboxie-plus
- sandboxie
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')