CVE-2024-50623

CVSS 9.8 CRITICALEPSS 98.5%● KEVCWE-434

In short

These software products allow users to upload files without proper validation, which attackers can exploit to upload malicious files and execute code on the server. This is a critical flaw because it gives attackers complete control over the affected system.

Technical detail

CWE-434 unrestricted file upload vulnerability in Cleo Harmony, VLTrader, and LexiCom versions before 5.8.0.21 permits unauthenticated or authenticated attackers to upload arbitrary files without extension or content validation, leading to remote code execution on the server. The attack requires network access to the upload interface but no special privileges or user interaction.

Summary generated and translated by AI from the official description.

In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

public PoCs found — 4

githubgithub.com/watchtowrlabs/CVE-2024-50623★ 25 githubgithub.com/verylazytech/CVE-2024-50623★ 7 githubgithub.com/iSee857/Cleo-CVE-2024-50623-PoC★ 5 githubgithub.com/congdong007/CVE-2024-50623-poc★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-50623