Analysis Summary

CVE-2024-41775 CVSS:5.9

IBM Cognos Controller 11.0.0 and 11.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

CVE-2024-25020 CVSS:5.5

IBM Cognos Controller 11.0.0 and 11.0.1 is vulnerable to malicious file upload by allowing unrestricted filetype attachments in the Journal entry page. Attackers can make use of this weakness and upload malicious executable files into the system and can be sent to victims for performing further attacks.

CVE-2024-41776 CVSS:6.5

IBM Cognos Controller 11.0.0 and 11.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

CVE-2024-45676 CVSS:4.3

IBM Cognos Controller 11.0.0 and 11.0.1 could allow an authenticated user to upload insecure files, due to insufficient file type distinction.

CVE-2024-25019 CVSS:5.5

IBM Cognos Controller 11.0.0 and 11.0.1 could be vulnerable to malicious file upload by not validating the type of file uploaded to Journal entry attachments. Attackers can make use of this weakness and upload malicious executable files into the system that can be sent to victims for performing further attacks.

CVE-2021-29892 CVSS:5.9

IBM Cognos Controller 11.0.0 and 11.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.

Impact

• Information Disclosure
• Gain Access

Indicators of Compromise

CVE

• CVE-2024-41775
• CVE-2024-25020
• CVE-2024-41776
• CVE-2024-45676
• CVE-2024-25019
• CVE-2021-29892

Affected Vendors

Remediation

Refer to IBM Security Advisory for patch, upgrade, or suggested workaround information.

IBM Security Advisory