{"uuid": "cb44f848-2e46-430a-b089-517177296c87", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "Cleo Product Security Update - CVE-2024-55956 and CVE-2024-50623", "description": "# Cleo Product Security Update - CVE-2024-55956\n\n\nPatch Version 5.8.0.24 Made Available to Address Previously Reported Critical Vulnerability (CVE-2024-55956)\nCleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.24) to address this vulnerability.\n\nThe vulnerability affects only the following products:\n\n- Cleo Harmony\u00ae (prior to version 5.8.0.24)\n- Cleo VLTrader\u00ae (prior to version 5.8.0.24)\n- Cleo LexiCom\u00ae (prior to version 5.8.0.24)\n\nThis security patch (version 5.8.0.24) addresses the previously identified critical vulnerability (CVE-2024-55956)) in Cleo Harmony, VLTrader, and LexiCom that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.\n\nPlease visit [Unauthenticated Malicious Hosts Vulnerability to take immediate action.](https://support.cleo.com/hc/en-us/articles/28389495587095).\n\n# Cleo Product Security Advisory - CVE-2024-50623\n\nCleo has identified an unrestricted file upload and download vulnerability (CVE-2024-50623) that could lead to remote code execution.\n\nThe vulnerability affects the following products:\n\n- Cleo Harmony\u00ae (prior to version 5.8.0.21)\n- Cleo VLTrader\u00ae (prior to version 5.8.0.21)\n- Cleo LexiCom\u00ae (prior to version 5.8.0.21)\n\nCleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.21) to address additional discovered potential attack vectors of the vulnerability.\u202f\n\nPlease visit [Unrestricted File Upload and Download Vulnerability Mitigation](https://support.cleo.com/hc/en-us/articles/27141200982423) to take immediate action.\n\nUnfortunately some of the links are restricted to customers having a support contact.\n\nCVE-2024-12632 is now rejected and a duplicate of CVE-2024-55956. \n", "creation_timestamp": "2024-12-15T10:09:25.481534+00:00", "timestamp": "2024-12-15T14:36:47.345521+00:00", "related_vulnerabilities": ["CVE-2024-55956", "CVE-2024-12632", "CVE-2024-50623"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}