Cleo Product Security Update - CVE-2024-55956

Patch Version 5.8.0.24 Made Available to Address Previously Reported Critical Vulnerability (CVE-2024-55956) Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.24) to address this vulnerability.

The vulnerability affects only the following products:

• Cleo Harmony® (prior to version 5.8.0.24)
• Cleo VLTrader® (prior to version 5.8.0.24)
• Cleo LexiCom® (prior to version 5.8.0.24)

This security patch (version 5.8.0.24) addresses the previously identified critical vulnerability (CVE-2024-55956)) in Cleo Harmony, VLTrader, and LexiCom that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.

Please visit Unauthenticated Malicious Hosts Vulnerability to take immediate action..

Cleo Product Security Advisory - CVE-2024-50623

Cleo has identified an unrestricted file upload and download vulnerability (CVE-2024-50623) that could lead to remote code execution.

The vulnerability affects the following products:

• Cleo Harmony® (prior to version 5.8.0.21)
• Cleo VLTrader® (prior to version 5.8.0.21)
• Cleo LexiCom® (prior to version 5.8.0.21)

Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.21) to address additional discovered potential attack vectors of the vulnerability. 

Please visit Unrestricted File Upload and Download Vulnerability Mitigation to take immediate action.

Unfortunately some of the links are restricted to customers having a support contact.

CVE-2024-12632 is now rejected and a duplicate of CVE-2024-55956.