Tracker

Vulnerabilities & CVEs

Named security defects in Dropbox's software — plus documented abuse of its platform — with severity, status, and sources. A serious record tracks the identifier-bearing flaws, not only the headline breaches.

CVE-2024-5924MediumPatched2024

Mark-of-the-Web bypass in the Dropbox Windows client

Files arriving via Dropbox sync could be written without the Windows 'Mark of the Web' flag, stripping SmartScreen/Protected-View warnings that protect users from running downloaded, untrusted content. Remediated in current client releases.

Affected: Dropbox desktop (Windows)

Full archive entry →CVEdetails — Dropbox vulnerability list

Platform abuse (C2)MediumOngoing2024

Dropbox API abused as malware command-and-control

Not a flaw in Dropbox, but a recurring abuse: state-aligned groups (e.g. Kimsuky, ScarCruft) use the trusted Dropbox API as a command-and-control and exfiltration channel that blends into normal enterprise traffic.

Affected: Dropbox API

Full archive entry →TechJack Solutions — Dropbox abused-infrastructure rollup

2019 client zero-dayHighPatched2019

Local privilege-escalation zero-day in the Dropbox Windows client

A researcher disclosed a privilege-escalation flaw in the Dropbox updater service on Windows that could let a low-privileged user gain SYSTEM rights. Dropbox patched the issue after disclosure.

Affected: Dropbox desktop (Windows)

The Register — coverage of the Dropbox Windows privilege-escalation flaw

Keeping the Dropbox desktop and mobile apps updated remediates the client-side issues above. See the breach tracker for full incident reports.