Allegra uploadFile Directory Traversal Remote Code Execution Vulnerability
CVE-2023-51643

4.7MEDIUM

Key Information:

Vendor: Allegra
Status: Allegra
Vendor: CVE Published:; 22 November 2024

What is CVE-2023-51643?

The Allegra uploadFile method has a vulnerability that permits remote attackers to execute arbitrary code on the affected installations. This issue arises from inadequate validation of user-supplied paths prior to their utilization in file operations. Although the exploitation necessitates authentication, the authentication mechanism can be circumvented, enabling attackers to leverage the flaw effectively. Successful exploitation allows the execution of code with the privileges of the LOCAL SERVICE account, posing a significant risk to system security.

Affected Version(s)

Allegra 7.5.0 build 29

References

https://www.zerodayinitiative.com/advisories/ZDI-24-103/

x_research-advisory

https://www.trackplus.com/en/service/release-notes-reader...

vendor-advisory

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

CVSS V3.0

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 22, 2024
Vulnerability Reserved
Dec 20, 2023

CVE-2023-51643 Data

JSON