CVE-2021-26625 Vulnerability Details

  /     /     /  

CVE-2021-26625 Metadata Quick Info

CVE Published: 19/04/2022 | CVE Updated: 03/08/2024 | CVE Year: 2021
Source: krcert | Vendor: tobesoft Co.,Ltd | Product: Nexacro 17
Status : PUBLISHED

---

CVE-2021-26625 Description

Insufficient Verification of input Data leading to arbitrary file download and execute was discovered in Nexacro platform. This vulnerability is caused by an automatic update function that does not verify input data except version information. Remote attackers can use this incomplete validation logic to download and execute arbitrary malicious file.

Metrics

CVSS Version: 3.1 | Base Score: 8.8 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* NONE
    User Interaction (UI)* REQUIRED
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* HIGH

Weakness Enumeration (CWE)

CWE-ID: CWE-345
CWE Name: CWE-345 Insufficient Verification of Data Authenticity
Source: tobesoft Co.,Ltd

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).