본문내용 바로가기 메인메뉴 바로가기 푸터 바로가기

Security Advisory

CVE-2020-7874 | NEXACRO14 Runtime arbitrary file download and execution vulnerability2021.09.08
□ Overview
 o tobesoft Co.,Ltd released security update to address arbitrary file download and execution vulnerability in NEXACRO14 Runtime plugin.
Vulnerability Type Impact Severity CVSS Score CVE ID
Download of code without
integrity check
arbitrary file download and
execution
High 8.8 CVE-2020-7874

□ Description
 o Download of code without integrity check vulnerability in NEXACRO14 Runtime ActiveX control of tobesoft Co., Ltd allows the attacker to cause an arbitrary
file download and execution.(CVE-2020-7874)
 o This vulnerability is due to incomplete validation of file download URL or file extension.

□ Affected Product
Product Version Platform
NEXACRO14 prior to 14.0.1.3600 Windows

□ Solution
 o Update software over NEXACRO14 14.0.1.3600 version or higher.

□ Reference
 [1] https://support.tobesoft.co.kr/Support/index.html

□ Etc
 o Thanks to Jeongun Baek for reporting this vulnerability.


□ 작성 : 침해사고분석단 취약점분석팀