본문내용 바로가기 메인메뉴 바로가기 푸터 바로가기

Security Advisory

CVE-2021-26626 | tobesoft XPLATFORM Arbitrary file execution Vulnerability2022.04.19
□ Overview
 o tobesoft Co.,Ltd released security update to address improper input validation vulnerability in XPLATFORM.
Vulnerability
Vulnerability Type Impact Severity CVSS Score CVE ID
Improper Input Validation arbitrary file execution High 8.1 CVE-2021-26626

□ Description
 o Improper input validation vulnerability in XPLATFORM's execBrowser method can cause execute arbitrary commands.
 o IF the second parameter value of the execBrowser function is ‘default’, the first parameter value could be passed to the ShellExecuteW API. The passed parameter is an arbitrary code to be executed.
 o Remote attackers can use this vulnerability to execute arbitrary remote code. 

□ Affected Product
Affected Product
Product Version Platform
XPLATFORM prior of 9.2.2.280 Windows

□ Solution
 o Update software over XPLATFORM 9.2.2.280 version or higher.

□ Reference
 [1] https://www.tobesoft.com/product/Xplatform.do

□ Etc
 o Thanks to Jeongun Baek for reporting this vulnerability.


□ 작성 : 침해사고분석단 취약점분석팀