CVE-2024-49780: IBM OpenPages path traversal

Published Feb 19, 2025
·
Updated

IBM OpenPages could allow a remote attacker to traverse directories on the system. An attacker with privileges to perform Import Configuration could send a specially crafted http request containing "dot dot" sequences (/../) in the file name parameter used in Import Configuration to write files to arbitrary locations outside of the specified directory and possibly overwrite arbitrary files.

Affected Software

6 affected componentsFixes available
IBM OpenPages<=9.0
IBM OpenPages with Watson<=IBM OpenPages with Watson 8.3
All of the following
Any of the following
IBM OpenPages with Watson>=8.3<8.3.0.3
IBM OpenPages with Watson>=9.0<9.0.0.5
Any of the following
Linux Linux kernel
Microsoft Windows

Event History

Feb 19, 2025
CVE Published
via IBM·12:00 AM
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Feb 20, 2025
CVE Published
via MITRE·03:49 AM
Data Sourced
via MITRE·03:49 AM
DescriptionSeverityWeakness

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-49780?

CVE-2024-49780 is classified as a high severity vulnerability due to its potential for directory traversal by a remote attacker.

2

How do I fix CVE-2024-49780?

To fix CVE-2024-49780, it is recommended to apply the latest patch provided by IBM for OpenPages versions up to 9.0 and OpenPages with Watson versions up to 8.3.

3

Who is affected by CVE-2024-49780?

CVE-2024-49780 affects IBM OpenPages versions up to 9.0 and IBM OpenPages with Watson versions up to 8.3.

4

What is the exploit mechanism for CVE-2024-49780?

CVE-2024-49780 can be exploited through crafted HTTP requests that include "dot dot" sequences to manipulate file paths in Import Configuration.

5

What type of vulnerability is CVE-2024-49780?

CVE-2024-49780 is a directory traversal vulnerability that can allow unauthorized access to sensitive parts of the filesystem.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203