Allegra loadFieldMatch Deserialization of Untrusted Data Remote Code Execution Vulnerability
CVE-2023-51642

6.3MEDIUM

Key Information:

Vendor

Allegra

Status
Allegra
Vendor
CVE Published:
22 November 2024

What is CVE-2023-51642?

The Allegra software has a vulnerability within the loadFieldMatch method, which arises from insufficient validation of data supplied by the user. This flaw allows attackers to exploit the deserialization of untrusted data, potentially leading to the execution of arbitrary code under the LOCAL SERVICE context. While authentication is necessary for exploitation, the existing registration mechanism could enable an attacker to create a user with adequate privileges to take advantage of this flaw. Vigilance is recommended for users of the affected product versions, especially concerning access controls.

Affected Version(s)

Allegra 7.5.0 build 29

References

https://www.zerodayinitiative.com/advisories/ZDI-24-105/
x_research-advisory
https://www.trackplus.com/en/service/release-notes-reader...
vendor-advisory

EPSS Score

6% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.