Cleo < 5.8.0.21 Unrestricted File Read/Upload

high Web App Scanning Plugin ID 114542

Synopsis

Cleo < 5.8.0.21 Unrestricted File Read/Upload

Description

Cleo Harmony prior to 5.8.0.21, VLTrader prior to 5.8.0.21 and LexiCom prior to 5.8.0.21 are affected by a vulnerability allowing an unauthenticated attacker to read an arbitrary file or upload an arbitrary file that could lead to remote code execution.

Solution

Upgrade to Cleo Harmony 5.8.0.21, VLTrader 5.8.0.21, LexiCom 5.8.0.21 or latest.

See Also

https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory-CVE-2024-50623

https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

Plugin Details

Severity: High

ID: 114542

Type: remote

Published: 12/19/2024

Updated: 12/19/2024

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Critical

Score: 9.2

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2024-50623

CVSS v3

Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2024-50623

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/27/2024

Vulnerability Publication Date: 10/27/2024

CISA Known Exploited Vulnerability Due Dates: 1/3/2025

Reference Information

CVE: CVE-2024-50623