Lucene search

KrcertCVELIST:CVE-2021-26642

HistoryJan 20, 2023 - 12:00 a.m.

CVE-2021-26642 XpressEngine file upload vulnerability

2023-01-2000:00:00

CWE-434

krcert

www.cve.org

cve-2021-26642

xpressengine

file upload

vulnerability

bulletin board

remote attacker

arbitrary code

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.004

Percentile

73.6%

JSON

When uploading an image file to a bulletin board developed with XpressEngine, a vulnerability in which an arbitrary file can be uploaded due to insufficient verification of the file. A remote attacker can use this vulnerability to execute arbitrary code on the server where the bulletin board is running.

CNA Affected

[
  {
    "vendor": "XEHub",
    "product": "XE3 XpresesEngine",
    "versions": [
      {
        "version": "3.0.14",
        "status": "affected",
        "lessThanOrEqual": "3.0.14",
        "versionType": "custom"
      }
    ],
    "platforms": [
      "Windows"
    ]
  }
]

References

boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=67125

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.004

Percentile

73.6%

JSON

Related for CVELIST:CVE-2021-26642