CVE-2019-17322

Published: Oct 30, 2019Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

ClipSoft REXPERT 1.0.0.527 and earlier version allows arbitrary file creation via a POST request with the parameter set to the file path to be written. This can be an executable file that is written to in the arbitrary directory. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page.

Affected (1)

Products: Clipsoft: Rexpert

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Clipsoft Rexpert	Up to 1.0.0.527

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (2)

https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35184

Source: vuln@krcert.or.kr

Third Party Advisory

https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35184

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.