Lucene search

KrcertCVE-2021-26642

HistoryJan 20, 2023 - 5:15 p.m.

CVE-2021-26642

2023-01-2017:15:10

CWE-434

krcert

web.nvd.nist.gov

cve-2021-26642

xpressengine

bulletin board

remote code execution

vulnerability

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.004

Percentile

73.6%

JSON

When uploading an image file to a bulletin board developed with XpressEngine, a vulnerability in which an arbitrary file can be uploaded due to insufficient verification of the file. A remote attacker can use this vulnerability to execute arbitrary code on the server where the bulletin board is running.

Affected configurations

Nvd

Node

microsoftwindowsMatch-

AND

xpressenginexpressengineRange<3.0.14

VendorProductVersionCPE
microsoftwindows-cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
xpressenginexpressengine*cpe:2.3:a:xpressengine:xpressengine:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
microsoft	windows	-	cpe:2.3:o:microsoft:windows:-:::::::*
xpressengine	xpressengine	*	cpe:2.3:a:xpressengine:xpressengine::::::::

CNA Affected

[
  {
    "vendor": "XEHub",
    "product": "XE3 XpresesEngine",
    "versions": [
      {
        "version": "3.0.14",
        "status": "affected",
        "lessThanOrEqual": "3.0.14",
        "versionType": "custom"
      }
    ],
    "platforms": [
      "Windows"
    ]
  }
]

References

boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=67125

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.004

Percentile

73.6%

JSON

Related for CVE-2021-26642