McKesson Cardiology 13.x and 14.x Improper Permissions Local Privilege Escalation

Back in November 2018, I reported a vulnerability to Change Healthcare regarding the McKesson Cardiology 13.1.2 web client application. Application Installation required that the Everyone Group (e.g. All Users) must have Full Control permissions to the directory the client application is installed. This allows a low privileged user to escalate privileges or execute malicious code.