CVE-2024-42489

Pro Macros provides XWiki rendering macros. Missing escaping in the Viewpdf macro allows any user with view right on the `CKEditor.HTMLConverter` page or edit or comment right on any page to perform remote code execution. Other macros like Viewppt are vulnerable to the same kind of attack. This vulnerability is fixed in 1.10.1.
Configurations

Configuration 1 (hide)

cpe:2.3:a:xwiki:pro_macros:*:*:*:*:*:*:*:*

History

16 Sep 2024, 19:46

Type Values Removed Values Added
References () https://github.com/xwikisas/xwiki-pro-macros/blob/main/xwiki-pro-macros-ui/src/main/resources/Confluence/Macros/Viewpdf.xml#L265-L267 - () https://github.com/xwikisas/xwiki-pro-macros/blob/main/xwiki-pro-macros-ui/src/main/resources/Confluence/Macros/Viewpdf.xml#L265-L267 - Broken Link
References () https://github.com/xwikisas/xwiki-pro-macros/commit/199553c84901999481a20614f093af2d57970eba - () https://github.com/xwikisas/xwiki-pro-macros/commit/199553c84901999481a20614f093af2d57970eba - Patch
References () https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-cfq3-q227-7j65 - () https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-cfq3-q227-7j65 - Vendor Advisory
Summary
  • (es) Pro Macros proporciona macros de renderizado de XWiki. La falta de escape en la macro Viewpdf permite a cualquier usuario con vista directa en la página `CKEditor.HTMLConverter` o editar o comentar directamente en cualquier página realizar la ejecución remota de código. Otras macros como Viewppt son vulnerables al mismo tipo de ataque. Esta vulnerabilidad se solucionó en 1.10.1.
CPE cpe:2.3:a:xwiki:pro_macros:*:*:*:*:*:*:*:*
First Time Xwiki
Xwiki pro Macros
CVSS v2 : unknown
v3 : 10.0
v2 : unknown
v3 : 8.8

12 Aug 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-12 16:15

Updated : 2024-09-16 19:46


NVD link : CVE-2024-42489

Mitre link : CVE-2024-42489

CVE.ORG link : CVE-2024-42489


JSON object : View

Products Affected

xwiki

  • pro_macros
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')