Description
A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants.
Remediation
References
Related Vulnerabilities
WordPress Plugin BulletProof Security Information Disclosure (5.1)
MediaWiki Other Vulnerability (CVE-2004-2186)
PrestaShop Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2023-25170)
WordPress Plugin YITH WooCommerce Best Sellers Security Bypass (1.1.11)
OpenVPN AS Improper Authentication Vulnerability (CVE-2020-8953)