Description

Cleo Harmony, VLTrader, and LexiCom contain arbitrary file read/write vulnerabilities that leads to remote code execution. Successful exploitation of the vulnerability can result in takeover of the server.

Remediation

Upgrade to the latest version of Cleo software

References

Cleo Product Security Update - CVE-2024-55956

Cleo Product Security Advisory - CVE-2024-50623

Cleo Harmony, VLTrader, and LexiCom - RCE via Arbitrary File Write (CVE-2024-50623)

Technical Analysis CVE-2024-55956

Related Vulnerabilities

WebLogic CVE-2020-14652 Vulnerability (CVE-2020-14652)

Oracle Database Server CVE-2016-5555 Vulnerability (CVE-2016-5555)

Mailman Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2010-3089)

MySQL CVE-2018-2646 Vulnerability (CVE-2018-2646)

EspoCRM Improper Neutralization of Formula Elements in a CSV File Vulnerability (CVE-2022-38844)

Severity

Critical

Classification

CVE-2024-50623 CVE-2024-55956 CWE-434 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Tags

Arbitrary File Read Arbitrary File Write Known Vulnerabilities