Scan free
HIGHCVE-2023-51646CVSS 7.2

CVE-2023-51646: RCE in Allegra Directory Traversal

Platform

other

Component

allegra

Fixed in

7.5.1

AI Confidence: highNVDEPSS 0.5%Reviewed: May 2026
View on NVD
Save

CVE-2023-51646 is a Remote Code Execution (RCE) vulnerability discovered in Allegra, a data visualization and business intelligence platform. This flaw allows authenticated attackers to bypass authentication and execute arbitrary code on affected systems. The vulnerability impacts Allegra versions 7.5.0 build 29 and earlier, and a fix is available in version 7.5.1.

Impact and Attack Scenarios

The primary impact of CVE-2023-51646 is the potential for remote code execution. An attacker who can authenticate to the Allegra system, even with a bypassed authentication mechanism, can upload malicious files and execute them on the server. This could lead to complete system compromise, data exfiltration, and disruption of services. The attacker gains the privileges of the LOCAL SERVICE account, which may have access to sensitive data and system resources. Successful exploitation could allow an attacker to install persistent backdoors, steal credentials, or pivot to other systems within the network.

Exploitation Context

CVE-2023-51646 was reported to ZDI (ZDI-CAN-22527) and subsequently published on 2024-11-22. The vulnerability's exploitation probability is considered medium due to the requirement for authentication, although the bypass described suggests ease of exploitation. Public proof-of-concept code is not currently available, but the vulnerability's nature makes it likely that such code will emerge. Monitor security advisories and threat intelligence feeds for updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.54% (67% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H7.2HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentallegra
VendorAllegra
Affected rangeFixed in
7.5.0 build 29 – 7.5.0 build 297.5.1

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2023-51646 is to upgrade Allegra to version 7.5.1 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing temporary workarounds such as restricting file upload capabilities to trusted users and closely monitoring file uploads for suspicious activity. Review Allegra's access control lists to ensure only authorized users have upload privileges. Implement a Web Application Firewall (WAF) with rules to block attempts to upload files with suspicious extensions or paths. After upgrading, confirm the fix by attempting to upload a test file and verifying that the upload fails with an appropriate error message.

How to fix

Actualice Allegra a la versión 7.5.1 o posterior. Esta versión corrige la vulnerabilidad de recorrido de directorios en el método uploadSimpleFile. La actualización impedirá la ejecución remota de código arbitrario.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2023-51646 — RCE in Allegra?

CVE-2023-51646 is a Remote Code Execution vulnerability in Allegra, allowing attackers to execute code on affected systems by bypassing authentication.

Am I affected by CVE-2023-51646 in Allegra?

You are affected if you are using Allegra versions 7.5.0 build 29 or earlier. Upgrade to 7.5.1 to mitigate the risk.

How do I fix CVE-2023-51646 in Allegra?

Upgrade Allegra to version 7.5.1 or later. As a temporary workaround, restrict file upload privileges and monitor upload activity.

Is CVE-2023-51646 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's nature suggests it is likely to be targeted. Monitor security advisories and threat intelligence feeds.

Where can I find the official Allegra advisory for CVE-2023-51646?

Refer to the Allegra security advisory for CVE-2023-51646 on the official Allegra website or relevant security mailing lists.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs