Ddos 
IBM has released security updates to address two critical vulnerabilities affecting its flagship business intelligence platform, IBM Cognos Analytics, warning that attackers could exploit these flaws to compromise systems, leak sensitive data, or crash servers.
The more severe of the two, CVE-2024-51466 (CVSS 9.0), is an Expression Language (EL) Injection vulnerability. According to IBM: “A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, and/or cause the server to crash when using a specially crafted EL statement.”
This flaw enables attackers to manipulate dynamic expressions processed by the Cognos server, potentially leading to denial-of-service conditions or unauthorized access to internal data.
The second flaw, CVE-2024-40695, stems from inadequate validation of file uploads via the web interface. IBM warns: “Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks.”
This vulnerability opens the door to remote code execution or secondary attack chains, particularly dangerous when combined with social engineering techniques. Its CVSS base score of 8.0 marks it as high severity.
The vulnerabilities affect the following product versions:
- IBM Cognos Analytics 12.0.0 – 12.0.4 → Patch with 12.0.4 Interim Fix 1
- IBM Cognos Analytics 11.2.0 – 11.2.4 FP4 → Patch with 11.2.4 FP5
IBM strongly recommends immediate upgrades, emphasizing: “IBM strongly recommends addressing the vulnerability now by upgrading.”
Donate