CVE-2021-26630 - OpenCVE

Improper input validation vulnerability in HANDY Groupware’s ActiveX moudle allows attackers to download or execute arbitrary files. This vulnerability can be exploited by using the file download or execution path as the parameter value of the vulnerable function.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Handysoft	Groupware
Microsoft	Windows

Configuration 1 [-]

AND

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

OR	cpe:2.3:a:handysoft:groupware::::::::
	cpe:2.3:a:handysoft:groupware::::::::
	cpe:2.3:a:handysoft:groupware::::::::

No data.

References

Link	Providers
https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66723

History

No history.

MITRE

Status: PUBLISHED

Assigner: krcert

Published: 2022-05-19T14:52:27

Updated: 2024-08-03T20:26:25.656Z

Reserved: 2021-02-03T00:00:00

Link: CVE-2021-26630

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-05-19T15:15:07.740

Modified: 2022-06-01T20:02:47.937

Link: CVE-2021-26630

Redhat

No data.

{"containers": {"cna": {"affected": [{"platforms": ["Windows"], "product": "HANDY Groupware", "vendor": "Handysoft Co.,Ltd", "versions": [{"lessThanOrEqual": "1.7.4.6", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"platforms": ["Windows"], "product": "HANDY Groupware", "vendor": "Handysoft Co.,Ltd", "versions": [{"lessThanOrEqual": "2.0.3.6", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"platforms": ["Windows"], "product": "HANDY Groupware", "vendor": "Handysoft Co.,Ltd", "versions": [{"lessThanOrEqual": "4.0.1.7", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Improper input validation vulnerability in HANDY Groupware\u2019s ActiveX moudle allows attackers to download or execute arbitrary files. This vulnerability can be exploited by using the file download or execution path as the parameter value of the vulnerable function."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-19T14:52:27", "orgId": "cdd7a122-0fae-4202-8d86-14efbacc2863", "shortName": "krcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66723"}], "source": {"discovery": "UNKNOWN"}, "title": "HANDY Groupware file download and execute vulnerability", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vuln@krcert.or.kr", "ID": "CVE-2021-26630", "STATE": "PUBLIC", "TITLE": "HANDY Groupware file download and execute vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "HANDY Groupware", "version": {"version_data": [{"platform": "Windows", "version_affected": "<=", "version_value": "1.7.4.6"}]}}]}, "vendor_name": "Handysoft Co.,Ltd"}, {"product": {"product_data": [{"product_name": "HANDY Groupware", "version": {"version_data": [{"platform": "Windows", "version_affected": "<=", "version_value": "2.0.3.6"}]}}]}, "vendor_name": "Handysoft Co.,Ltd"}, {"product": {"product_data": [{"product_name": "HANDY Groupware", "version": {"version_data": [{"platform": "Windows", "version_affected": "<=", "version_value": "4.0.1.7"}]}}]}, "vendor_name": "Handysoft Co.,Ltd"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper input validation vulnerability in HANDY Groupware\u2019s ActiveX moudle allows attackers to download or execute arbitrary files. This vulnerability can be exploited by using the file download or execution path as the parameter value of the vulnerable function."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66723", "refsource": "MISC", "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66723"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:26:25.656Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66723"}]}]}, "cveMetadata": {"assignerOrgId": "cdd7a122-0fae-4202-8d86-14efbacc2863", "assignerShortName": "krcert", "cveId": "CVE-2021-26630", "datePublished": "2022-05-19T14:52:27", "dateReserved": "2021-02-03T00:00:00", "dateUpdated": "2024-08-03T20:26:25.656Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:handysoft:groupware:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B3EBC31-FAA9-4C1D-8412-A23517BC6B10", "versionEndExcluding": "1.7.4.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:handysoft:groupware:*:*:*:*:*:*:*:*", "matchCriteriaId": "86BDCB18-DEAE-45AC-9192-84B2050C9AF8", "versionEndExcluding": "2.0.3.7", "versionStartIncluding": "2.0.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:handysoft:groupware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6F44BCC9-9AC7-4D80-9A9E-C0CD24D8C6E7", "versionEndExcluding": "4.0.1.8", "versionStartIncluding": "4.0.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper input validation vulnerability in HANDY Groupware\u2019s ActiveX moudle allows attackers to download or execute arbitrary files. This vulnerability can be exploited by using the file download or execution path as the parameter value of the vulnerable function."}, {"lang": "es", "value": "Una vulnerabilidad de comprobaci\u00f3n de entrada inapropiada en el m\u00f3dulo ActiveX de HANDY Groupware permite a atacantes descargar o ejecutar archivos arbitrarios. Esta vulnerabilidad puede ser explotada usando la ruta de descarga o ejecuci\u00f3n de archivos como el valor del par\u00e1metro de la funci\u00f3n vulnerable"}], "id": "CVE-2021-26630", "lastModified": "2022-06-01T20:02:47.937", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "vuln@krcert.or.kr", "type": "Secondary"}]}, "published": "2022-05-19T15:15:07.740", "references": [{"source": "vuln@krcert.or.kr", "tags": ["Third Party Advisory"], "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66723"}], "sourceIdentifier": "vuln@krcert.or.kr", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "vuln@krcert.or.kr", "type": "Secondary"}]}