CVE-2024-45084
Published: 19 February 2025
Description
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 could allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents.
Security Summary
CVE-2024-45084 is a formula injection vulnerability in IBM Cognos Controller versions 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0. The flaw stems from improper validation of file contents, enabling an authenticated attacker to inject malicious formulas that lead to arbitrary command execution on the affected system. It has a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-1236.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R). Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability (C:I:A:H), including executing arbitrary commands on the underlying system.
IBM's security advisory at https://www.ibm.com/support/pages/node/7183597 provides details on mitigation, including available patches for the affected versions. Security practitioners should apply these updates promptly and review access controls for file upload functionalities in these products.
Details
- CWE(s)