7.5.1 Release Notes
by Bence Nagy
Important Security Updates
We are pleased to introduce you to version 7.5.1 of Allegra, which includes very important security improvements and enhancements for better usability. This update is part of our commitment to continuously offer you a secure and efficient product.
To address the security vulnerabilities listed below, it is strongly recommended to update to the latest Allegra version 7.5.1. Upon installation, a fix will be applied for each CVE listed in the table below, except for CVE-2023-22360. Cloud customers do not need to take any action, as we have updated their instances immediately following the disclosure.
Additional note on CVE-2023-22360 for On-Premise customers: Please check whether you have changed the Allegra database default password after installation.
You can download the latest Allegra version 7.5.1 here.
The Allegra version 7.5.1 includes fixes to strengthen security for the following issues:
| CVE-ID | Product Affected | CVSS Score + Vector | CVE Description |
| CVE-2024-22507 | Allegra Versions lower 7.5.1. | 7.5 – High CVSS:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
An Arbitrary File Read vulnerability, which can be exploited by authenticated users, including those with a Guest role. This vulnerability is treated as unauthenticated since if anonymous access is activated anyone can login. |
| CVE-2024-22530 | Allegra Versions lower 7.5.1 | 7.5 – High CVSS:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| CVE-2024-22532 | Allegra Versions lower 7.5.1 | 7.5 – HIgh CVSS:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Unauthenticated Arbitrary File Read vulnerability. It requires the existence of the C:\Allegra\plugins\tp-math directory. |
| CVE-2024-22513 | Allegra Versions lower 7.5.1 | 7.2 – High CVSS:AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Post-authentication Remote Code Execution due to a directory traversal vulnerability during the backup restore operation. Admin privileges are required for exploitation. |
| CVE-2024-22512 | Allegra Versions lower 7.5.1 | 9.8 – Critical CVSS:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Unauthenticated Remote Code Execution due to improper access control in the Struts SiteConfigAction action of Allegra software. |
| CVE-2024-22510 | Allegra Versions lower 7.5.1 | 7.2 – High CVSS:AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Post-authentication Remote Code Execution due to a directory traversal vulnerability in the uploadFile method of the BrandingAction class. Admin privileges are required for exploitation. |
| CVE-2024-22548 | Allegra Versions lower 7.5.1 | 9.8 – Critical CVSS:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Remote Code Execution that can be exploited by any authenticated user, including those with a Guest role. This vulnerability is treated as unauthenticated since if anonymous access is activated anyone can login. |
| CVE-2024-22506 | Allegra Versions lower 7.5.1 | ||
| CVE-2024-22505 | Allegra Versions lower 7.5.1 | ||
| CVE-2024-22504 | Allegra Versions lower 7.5.1 | 7.2 – High CVSS:AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Post-authentication Remote Code Execution due to a directory traversal vulnerability during a file upload operation. Admin privileges are required for exploitation. |
| CVE-2023-22528 | Allegra Versions lower 7.5.1 | 7.2 – High CVSS:AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
|
| CVE-2023-22527 | Allegra Versions lower 7.5.1 | 7.2 – High CVSS:AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
|
| CVE-2023-22361 | Allegra Versions lower 7.5.1 | 9.8 – Critical CVSS:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Directory Traversal Authentication Bypass Vulnerability. |
| CVE-2023-01-22360 | Allegra Versions lower 7.5.1 | 9.8 – Critical CVSS:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Authentication Bypass due to Hard-coded Credentials.The critical aspect of this vulnerability lies in the fact that every Allegra installation uses the same default database password, which is possibly not changed post-installation. This vulnerability only affects On-Premise customers. We highly recommend changing database passwords after installing Allegra. |
Comments
Add a comment