CVE-2024-25020

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions IBM Cognos Controller versions 11.0.0 through 11.0.1

Description The issue allows malicious file upload by permitting unrestricted filetype attachments in the Journal entry page. Attackers can exploit this weakness to upload malicious executable files into the system, which can then be sent to victims to perform further attacks.

Recommendations For versions 11.0.0 and 11.0.1, restrict access to the Journal entry page to minimize the risk of exploitation. Consider disabling the file upload feature until a patch is available. As a temporary workaround, limit the types of files that can be attached to the Journal entry page to prevent malicious file uploads.

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2024-25020

Affected Products

Ibm Cognos Controller

CVE-2024-25020

Weakness Enumeration

Related Identifiers

Affected Products

References · 6