Event Log Explorer 4.9.3 - 'ElodeaEventCollectorService' Unquoted Service Path | Advisories

Advisories

Event Log Explorer 4.9.3 - 'ElodeaEventCollectorService' Unquoted Service Path

severity: high
date: January 21, 2026
Affecting: Event Log Explorer 4.9.3
CVE: CVE-2021-47861
CWE: CWE-428 Unquoted Search Path or Element
CVSS: 8.5
CVSS V4 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-49704
Vendor Homepage
Credit: Alan Mondragon
Description: Event Log Explorer 4.9.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific file system locations that will be executed with LocalSystem account privileges during service startup.