CVE-2024-50623 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Cleo Multiple Products Unrestricted File Upload Vulnerability

Exploit added

December 13, 2024

Action due

January 3, 2025

Action required

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.

References

https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory

Weakness Enumeration

CWE-ID	CWE Name
CWE-434	Unrestricted Upload of File with Dangerous Type

Details

Source:
NVD

Published:
October 28, 2024

Updated:
December 17, 2024

Risk information

CVSS v3

Base score:
9.8

Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

Not defined