CVE-2024-49352

IBM Cognos Analytics versions 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 are affected by CVE-2024-49352, an XML External Entity Injection (XXE) vulnerability classified under CWE-611. This flaw occurs when the software processes XML data, enabling potential exploitation during XML parsing operations. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L), indicating high confidentiality impact with low availability impact.

A remote attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to disclose sensitive information from the server or consume memory resources, leading to denial-of-service conditions.

IBM has published a security advisory at https://www.ibm.com/support/pages/node/7181480 providing details on the vulnerability, affected versions, and recommended mitigation steps, including available patches.