-
Notifications
You must be signed in to change notification settings - Fork 48
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #891 from DIVD-NL/sT0wn-nl-patch-2
Create DIVD-2024-00052.md
- Loading branch information
Showing
1 changed file
with
52 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| --- | ||
| layout: case | ||
| title: "Remote code execution in Cleo Harmony, VLCTrader and LexiCom" | ||
| author: Alwin Warringa | ||
| lead: Alwin Warringa | ||
| excerpt: "Cleo has identified an unrestricted file upload and download vulnerability (CVE-2024-50623) that could lead to remote code execution" | ||
| researchers: | ||
| - Alwin Warringa | ||
| - Stan Plasmeijer | ||
| cves: | ||
| - CVE-2024-50623 | ||
| product: | ||
| - Cleo Harmony | ||
| - Cleo VLTrader | ||
| - Cleo LexiCom | ||
| versions: | ||
| - 5.8.0.24 and earlier | ||
| recommendation: "Upgrade to version 5.8.0.24 or later" | ||
| workaround: "none" | ||
| patch_status: Patch available | ||
| status : Open | ||
| start: 2024-12-10 | ||
| timeline: | ||
| - start: 2024-12-10 | ||
| end: | ||
| event: "DIVD starts researching the vulnerability." | ||
| - start: 2024-12-10 | ||
| end: | ||
| event: "DIVD finds fingerprint, preparing to scan." | ||
| - start: 2024-12-10 | ||
| end: | ||
| event: "Case opened and starting first scan." | ||
| --- | ||
|
|
||
| ## Summary | ||
| Cleo Harmony, VLCTrader and LexiCom versions below 5.8.0.24 are vulnerable for an remote code execution. A successful exploit of this vulnerability could allow an attacker to gain unauthorized access, with potential impacts to the confidentiality, integrity, and availability of the system. This vulnerability is exploitable without authentication. | ||
|
|
||
| ## Recommendations | ||
|
|
||
| To remediate {% cve CVE-2024-50623 %} and a pending CVE, upgrade to version 5.8.0.24 or later. You can find a link to the Cleo bulletin at the bottom of this post. | ||
|
|
||
| ## What we are doing | ||
|
|
||
| DIVD is currently working to identify parties that are running a vulnerable version of Cleo Harmony, VLCTrader or LexiCom and to notify these parties. | ||
|
|
||
| {% include timeline.html %} | ||
|
|
||
| ## More information | ||
|
|
||
| * {% cve CVE-2024-50623 %} | ||
| * [Cleo Security Bulletin](https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory-CVE-2024-50623) | ||
| * [Cleo Security Bulletin](https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending) |