□ Overview
o tobesoft Co.,Ltd released security update to address arbitrary file download and execution vulnerability in NEXACRO14 Runtime plugin.
Vulnerability
| Vulnerability Type |
Impact |
Severity |
CVSS Score |
CVE ID |
Download of code without
integrity check |
arbitrary file download and
execution |
High |
8.8 |
CVE-2020-7874 |
□ Description
o Download of code without integrity check vulnerability in NEXACRO14 Runtime ActiveX control of tobesoft Co., Ltd allows the attacker to cause an arbitrary
file download and execution.(CVE-2020-7874)
o This vulnerability is due to incomplete validation of file download URL or file extension.
□ Affected Product
Affected Product
| Product |
Version |
Platform |
| NEXACRO14 |
prior to 14.0.1.3600 |
Windows |
□ Solution
o Update software over NEXACRO14 14.0.1.3600 version or higher.
□ Reference
[1] https://support.tobesoft.co.kr/Support/index.html
□ Etc
o Thanks to Jeongun Baek for reporting this vulnerability.
□ 작성 : 침해사고분석단 취약점분석팀 |
