Lucene search

GitHub_MCVELIST:CVE-2024-42489

HistoryAug 12, 2024 - 3:49 p.m.

CVE-2024-42489 Pro Macros Remote Code Execution via Viewpdf and similar macros

2024-08-1215:49:18

CWE-74

GitHub_M

www.cve.org

cve-2024-42489; pro macros; remote code execution; xwiki rendering; missing escaping; viewpdf macro; ckeditor.htmlconverter; vulnerability; fixed in 1.10.1

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

27.9%

JSON

Pro Macros provides XWiki rendering macros. Missing escaping in the Viewpdf macro allows any user with view right on the CKEditor.HTMLConverter page or edit or comment right on any page to perform remote code execution. Other macros like Viewppt are vulnerable to the same kind of attack. This vulnerability is fixed in 1.10.1.

CNA Affected

[
  {
    "vendor": "xwikisas",
    "product": "xwiki-pro-macros",
    "versions": [
      {
        "version": ">= 1.0, < 1.10.1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/xwikisas/xwiki-pro-macros/blob/main/xwiki-pro-macros-ui/src/main/resources/Confluence/Macros/Viewpdf.xml#L265-L267

github.com/xwikisas/xwiki-pro-macros/commit/199553c84901999481a20614f093af2d57970eba

github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-cfq3-q227-7j65

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

27.9%

JSON

Related for CVELIST:CVE-2024-42489