CVE-2024-45084

High

Published: 19 February 2025

Published

19 February 2025

Modified

29 September 2025

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0026 49.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45084 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Ibm Cognos Controller. Its CVSS base score is 8.0 (High).

Operationally, ranked at the 49.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the improper validation of file contents that enables authenticated attackers to inject malicious formulas leading to arbitrary command execution.

SI-2 Flaw Remediation good match

prevent

Mitigates the vulnerability by requiring timely remediation of flaws, including application of vendor patches as specified in IBM's security advisory.

SI-9 Information Input Restrictions partial match

prevent

Enforces restrictions on file types and structures processed by the system, limiting opportunities for formula injection via unauthorized input formats.

NVD Description

IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 could allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents.

Deeper analysisAI

CVE-2024-45084 is a formula injection vulnerability in IBM Cognos Controller versions 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0. The flaw stems from improper validation of file contents, enabling an authenticated attacker to inject malicious formulas that lead to arbitrary command execution on the affected system. It has a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-1236.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R). Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability (C:I:A:H), including executing arbitrary commands on the underlying system.

IBM's security advisory at https://www.ibm.com/support/pages/node/7183597 provides details on mitigation, including available patches for the affected versions. Security practitioners should apply these updates promptly and review access controls for file upload functionalities in these products.

Details

CWE(s): CWE-1236

Affected Products

ibm

cognos controller

11.0.0 — 11.0.1.4

ibm

controller

11.1.0

CVEs Like This One

CVE-2024-28777Same product: Ibm Cognos Controller

CVE-2024-40702Same product: Ibm Cognos Controller

CVE-2024-52902Same product: Ibm Cognos Controller

CVE-2023-47160Same product: Ibm Cognos Controller

CVE-2024-49779Same product: Microsoft Windows

CVE-2024-49781Same product: Microsoft Windows

CVE-2025-13916Same product: Microsoft Windows

CVE-2024-41766Same product: Microsoft Windows

CVE-2026-2713Same product: Microsoft Windows

CVE-2024-49782Same product: Microsoft Windows

References

https://www.ibm.com/support/pages/node/7183597
Vendor Advisory · psirt@us.ibm.com