Lucene search

GitHub_MCVE-2024-42489

HistoryAug 12, 2024 - 4:15 p.m.

CVE-2024-42489

2024-08-1216:15:16

CWE-74

GitHub_M

web.nvd.nist.gov

pro macros xwiki rendering ckeditor.htmlconverter viewpdf viewppt remote code execution vulnerability fix 1.10.1

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.001

Percentile

27.9%

JSON

Pro Macros provides XWiki rendering macros. Missing escaping in the Viewpdf macro allows any user with view right on the CKEditor.HTMLConverter page or edit or comment right on any page to perform remote code execution. Other macros like Viewppt are vulnerable to the same kind of attack. This vulnerability is fixed in 1.10.1.

Affected configurations

Nvd

Vulners

Vulnrichment

Node

xwikipro_macrosRange1.0–1.10.1

VendorProductVersionCPE
xwikipro_macros*cpe:2.3:a:xwiki:pro_macros:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
xwiki	pro_macros	*	cpe:2.3:a:xwiki:pro_macros::::::::

CNA Affected

[
  {
    "vendor": "xwikisas",
    "product": "xwiki-pro-macros",
    "versions": [
      {
        "version": ">= 1.0, < 1.10.1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/xwikisas/xwiki-pro-macros/blob/main/xwiki-pro-macros-ui/src/main/resources/Confluence/Macros/Viewpdf.xml#L265-L267

github.com/xwikisas/xwiki-pro-macros/commit/199553c84901999481a20614f093af2d57970eba

github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-cfq3-q227-7j65

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.001

Percentile

27.9%

JSON

Related for CVE-2024-42489