CVE-2024-42489

high-risk
Published 2024-08-12

Pro Macros provides XWiki rendering macros. Missing escaping in the Viewpdf macro allows any user with view right on the `CKEditor.HTMLConverter` page or edit or comment right on any page to perform remote code execution. Other macros like Viewppt are vulnerable to the same kind of attack. This vulnerability is fixed in 1.10.1.

Do I need to act?

!
45.4% chance of exploitation in next 30 days
EPSS score — higher than 55% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: a823071246993846aad88baa4e395c779859fcdc
10
CVSS 10.0/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Pro Macros

Affected Vendors

Xwiki

References (3)

Broken Link https://github.com/xwikisas/xwiki-pro-macros/blob/main/xwiki-pro-macros-ui/src/m...
Patch https://github.com/xwikisas/xwiki-pro-macros/commit/199553c84901999481a20614f093...
Vendor Advisory https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-cfq3-q227-...
55
/ 100
high-risk
Severity 33/34 · Critical
Exploitability 17/34 · Moderate
Exposure 5/34 · Minimal