Description
A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants.
Remediation
References
Related Vulnerabilities
WordPress Plugin WordPress Popular Posts Cross-Site Scripting (5.3.5)
Python Integer Overflow or Wraparound Vulnerability (CVE-2010-1449)
Mailman Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2006-4624)
MySQL CVE-2019-2689 Vulnerability (CVE-2019-2689)
WordPress Plugin Content Blocks (Custom Post Widget) Cross-Site Scripting (3.0)