Cognos Controller Vulnerable to Malicious File Upload Attacks
CVE-2024-25020

9.8CRITICAL

Key Information:

Vendor: IBM
Status: Cognos Controller
Vendor: CVE Published:; 3 December 2024

Summary

IBM Cognos Controller versions 11.0.0 and 11.0.1 are vulnerable to a significant security flaw that facilitates the upload of malicious files via the Journal entry page. This vulnerability stems from insufficient restrictions on filetype attachments, which could allow attackers to upload and execute harmful executable files within the system. Consequently, these files can be leveraged to conduct further attacks against victims, posing a considerable threat to data integrity and security.

References

https://www.ibm.com/support/pages/node/7177220

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 3, 2024