Moxa SoftCMS VLCPlugin ActiveX Control setUserInfoData strUserName Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Moxa SoftCMS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within processing of the strUserName parameter of the setUserInfoData method of the VLCPlugin control. The user name string is copied to a fixed-length heap buffer without a length validation. An attacker can leverage this vulnerability to gain code execution under the context of the process.