CVE-2024-26331

HIGH NUCLEI

ReCrystallize Server - Authentication Bypass

Title source: nuclei

Exploitation Summary

CVE-2024-26331 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

ReCrystallize Server 5.10.0.0 uses a authorization mechanism that relies on the value of a cookie, but it does not bind the cookie value to a session ID. Attackers can easily modify the cookie value, within a browser or by implementing client-side code outside of a browser. Attackers can bypass the authentication mechanism by modifying the cookie to contain an expected value.

Nuclei Templates (1)

ReCrystallize Server - Authentication Bypass

HIGHVERIFIEDby Carson Chan

Shodan: title:"ReCrystallize"

References (2)

Core 2

Core References

Various Sources

https://sensepost.com/blog/2024/from-discovery-to-disclosure-recrystallize-server-vulnerabilities/

Various Sources

https://www.recrystallize.com/merchant/ReCrystallize-Server-for-Crystal-Reports.htm

Scores

CVSS v3 7.5

EPSS 0.4932

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-287

Status published

Published Apr 30, 2024

Tracked Since Feb 18, 2026