CVE-2024-49780

Name of the Vulnerable Software and Affected Versions IBM OpenPages with Watson versions 8.3 through 9.0

Description The issue allows a remote attacker to traverse directories on the system. An attacker with privileges to perform Import Configuration could send a specially crafted http request containing "dot dot" sequences (/../) in the file name parameter used in Import Configuration to write files to arbitrary locations outside of the specified directory and possibly overwrite arbitrary files.

Recommendations For versions 8.3 and 9.0, consider disabling the Import Configuration feature until a patch is available to prevent directory traversal attacks. Restrict access to the Import Configuration module to minimize the risk of exploitation. Avoid using the file name parameter in the affected Import Configuration endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.