Lucene search

GoogleOSV:CVE-2024-42489

HistoryAug 12, 2024 - 4:15 p.m.

CVE-2024-42489

2024-08-1216:15:16

Google

osv.dev

pro macros

xwiki

rendering

macro

vulnerability

fix

remote code execution

viewpdf

viewppt

ckeditor.htmlconverter

1.10.1

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

7.5

Confidence

Low

EPSS

0.001

Percentile

27.9%

JSON

Pro Macros provides XWiki rendering macros. Missing escaping in the Viewpdf macro allows any user with view right on the CKEditor.HTMLConverter page or edit or comment right on any page to perform remote code execution. Other macros like Viewppt are vulnerable to the same kind of attack. This vulnerability is fixed in 1.10.1.

References

github.com/xwikisas/xwiki-pro-macros/blob/main/xwiki-pro-macros-ui/src/main/resources/Confluence/Macros/Viewpdf.xml#L265-L267

github.com/xwikisas/xwiki-pro-macros/commit/199553c84901999481a20614f093af2d57970eba

github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-cfq3-q227-7j65

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

7.5

Confidence

Low

EPSS

0.001

Percentile

27.9%

JSON

Related for OSV:CVE-2024-42489