CVE-2024-40695

Name of the Vulnerable Software and Affected Versions IBM Cognos Analytics versions 11.2.0 through 11.2.4 FP4 IBM Cognos Analytics versions 12.0.0 through 12.0.4

Description The issue is related to a malicious file upload vulnerability due to the lack of validation of the content of uploaded files to the web interface. This weakness can be exploited by attackers to upload malicious executable files into the system, which can then be sent to victims for further attacks. The vulnerability is associated with unlimited file upload of dangerous types, allowing a remote attacker to upload arbitrary files.

Recommendations For IBM Cognos Analytics versions 11.2.0 through 11.2.4 FP4, update to a version that includes the fix for this vulnerability. For IBM Cognos Analytics versions 12.0.0 through 12.0.4, update to a version that includes the fix for this vulnerability. As a temporary workaround, consider restricting file uploads to the web interface until a patch is available. Restrict access to the file upload feature to minimize the risk of exploitation.