CVE-2024-49352

Published: Feb 5, 2025Modified: Jul 2, 2025

7.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Exploitability: 2.8 / Impact: 4.2

Source: psirt@us.ibm.com (Secondary)

Description

IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Affected (9)

Products: Ibm: Cognos Analytics

Ibm

1 product

Cognos Analytics

Configuration A

9 vulnerable

Vulnerable Software	Affected Versions
Ibm Cognos Analytics	From 11.2.0 to 11.2.4
Ibm Cognos Analytics	From 12.0.0 to 12.0.4
Ibm Cognos Analytics	Version 11.2.4
Ibm Cognos Analytics	Version 11.2.4 fixpack1
Ibm Cognos Analytics	Version 11.2.4 fixpack2
Ibm Cognos Analytics	Version 11.2.4 fixpack3
Ibm Cognos Analytics	Version 11.2.4 fixpack4
Ibm Cognos Analytics	Version 12.0.4
Ibm Cognos Analytics	Version 12.0.4 interim_fix_1

Related CWEs

CWE-611

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (1)

https://www.ibm.com/support/pages/node/7181480

Source: psirt@us.ibm.com

PatchVendor Advisory

Timeline

No history available yet.