Sensitive Data Exposure (CVE-2024-52323) in Analytics Plus on-premise Leading to Privilege Escalation

Severity: High

CVE ID: CVE-2024-52323

Product name Affected Software Version(s) Fixed Version Fixed On
Analytics Plus on-premise Analytics Plus on-premise builds below 6100 Build 6100 November 27, 2024

Details

A Sensitive Data Exposure vulnerability has been identified in Analytics Plus on-premise, allowing an authenticated user to retrieve sensitive tokens associated to the org-admin account. This could potentially lead to unintended privilege escalation.

Impact

This vulnerability enables an attacker to perform admin actions, such as adding or removing users and altering configurations.

Fix

We have addressed this issue by removing the unused and vulnerable code from our application to eliminate the vulnerability.

Steps to upgrade

  1. Kindly download the latest upgrade pack from here.
  2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above step.

Acknowledgements

This vulnerability was reported by Mohamed Mekkawy working with Trend Micro's Zero Day Initiative in our Bug Bounty portal.

If you have any questions or concerns, please contact product support at the email addresses below: