CVE-2024-42489

12 Ago 2024

Título es

CVE-2024-42489

Lun, 12/08/2024 – 16:15

Tipo

CWE-74

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-42489

Descripción en

Pro Macros provides XWiki rendering macros. Missing escaping in the Viewpdf macro allows any user with view right on the `CKEditor.HTMLConverter` page or edit or comment right on any page to perform remote code execution. Other macros like Viewppt are vulnerable to the same kind of attack. This vulnerability is fixed in 1.10.1.

12/08/2024

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)

10.00

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

CRITICAL

Referencias

https://github.com/xwikisas/xwiki-pro-macros/blob/main/xwiki-pro-macros-ui/src/main/resources/Confluence/Macros/Viewpdf.xml#L265-L267

https://github.com/xwikisas/xwiki-pro-macros/commit/199553c84901999481a20614f093af2d57970eba

https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-cfq3-q227-7j65

Enviar en el boletín