Headline
CVE-2021-26628: KISA 인터넷 보호나라&KrCERT
Insufficient script validation of the admin page enables XSS, which causes unauthorized users to steal admin privileges. When uploading file in a specific menu, the verification of the files is insufficient. It allows remote attackers to upload arbitrary files disguising them as image files.
Security Advisory
CVE-2021-26628 | MaxBoard XSS and File Upload Vulnerability2022.04.26
□ Overview
o MaxBoard released security update to address XSS and File Upload vulnerability in admin page of MaxBoard.
Vulnerability
Vulnerability Type
Impact
Severity
CVSS Score
CVE ID
XSS and File Upload
remote code execution,
privilege escalation
High
8.8
CVE-2021-26628
□ Description
o Insufficient script validation of the admin page enables XSS, which causes unauthorized users to steal admin privileges.
o When uploading file in a specific menu, the verification of the files is insufficient. It allows remote attackers to upload arbitrary files
disguising them as image files.
□ Affected Product
Affected Product
Product
Version
Platform
MaxBoard
prior of 1.9.6
Linux
□ Solution
o Update software over MaxBoard 1.9.6.1 version or higher.
□ Reference
[1] https://maxb.kr/
□ Etc
o Thanks to Song Inbong for reporting this vulnerability.
□ 작성 : 침해사고분석단 취약점분석팀
트위터 페이스북