CVE-2024-26331

HIGH NUCLEI

ReCrystallize Server - Authentication Bypass

Title source: nuclei

Description

ReCrystallize Server 5.10.0.0 uses a authorization mechanism that relies on the value of a cookie, but it does not bind the cookie value to a session ID. Attackers can easily modify the cookie value, within a browser or by implementing client-side code outside of a browser. Attackers can bypass the authentication mechanism by modifying the cookie to contain an expected value.

Nuclei Templates (1)

ReCrystallize Server - Authentication Bypass

HIGHVERIFIEDby Carson Chan

Shodan: title:"ReCrystallize"

References (2)

[Various Sources] https://sensepost.com/blog/2024/from-discovery-to-disclosure-recrystallize-server-vulnerabilities/

[Various Sources] https://www.recrystallize.com/merchant/ReCrystallize-Server-for-Crystal-Reports.htm

Scores

CVSS v3 7.5

EPSS 0.6786

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-287

Status published

Published Apr 30, 2024

Tracked Since Feb 18, 2026