Improper access control in Allegra

#VU86354 Improper access control in Allegra

Published: 2024-02-13

Vulnerability identifier: #VU86354

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-22512

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Allegra
Server applications / Conferencing, Collaboration and VoIP solutions

Vendor: Steinbeis GmbH & Co. KG

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to an error in Struts configuration. A remote attacker can bypass implemented security restrictions and execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Allegra: 5.1.0 - 7.5.0

External links
http://www.zerodayinitiative.com/advisories/ZDI-24-102/
http://www.trackplus.com/en/service/release-notes-reader/7-5-1-release-notes-2.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Allegra