Pro Macros provides XWiki rendering macros. Missing escaping in the Viewpdf macro allows any user with view right on the `CKEditor.HTMLConverter` page or edit or comment right on any page to perform remote code execution. Other macros like Viewppt are vulnerable to the same kind of attack. This vulnerability is fixed in 1.10.1.
References
Configurations
History
16 Sep 2024, 19:46
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/xwikisas/xwiki-pro-macros/blob/main/xwiki-pro-macros-ui/src/main/resources/Confluence/Macros/Viewpdf.xml#L265-L267 - Broken Link | |
References | () https://github.com/xwikisas/xwiki-pro-macros/commit/199553c84901999481a20614f093af2d57970eba - Patch | |
References | () https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-cfq3-q227-7j65 - Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
Summary |
|
|
CPE | cpe:2.3:a:xwiki:pro_macros:*:*:*:*:*:*:*:* | |
First Time |
Xwiki
Xwiki pro Macros |
12 Aug 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-12 16:15
Updated : 2024-09-16 19:46
NVD link : CVE-2024-42489
Mitre link : CVE-2024-42489
CVE.ORG link : CVE-2024-42489
JSON object : View
Products Affected
xwiki
- pro_macros
CWE
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')