CVE-2024-26331

CVE Database · CVE-2024-26331

CVE-2024-26331

· HIGHDeferred

CVSS v3.1

7.5

EPSS

49.32%

Published

Apr 30, 2024

Modified

Apr 14, 2026

Public PoC / Exploit (2)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

ReCrystallize Server 5.10.0.0 uses a authorization mechanism that relies on the value of a cookie, but it does not bind the cookie value to a session ID. Attackers can easily modify the cookie value, within a browser or by implementing client-side code outside of a browser. Attackers can bypass the authentication mechanism by modifying the cookie to contain an expected value.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses (CWE)

CWE-287

References (4)

https://sensepost.com/blog/2024/from-discovery-to-disclosure-recrystallize-server-vulnerabilities/

https://www.recrystallize.com/merchant/ReCrystallize-Server-for-Crystal-Reports.htm

https://sensepost.com/blog/2024/from-discovery-to-disclosure-recrystallize-server-vulnerabilities/

https://www.recrystallize.com/merchant/ReCrystallize-Server-for-Crystal-Reports.htm

KEV Catalog EPSS Scores Vendors All CVEs