Cyber Resilience

CVE-2023-24612

CriticalRCE

Published: 30 January 2023

Published
30 January 2023
Modified
28 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0721 91.8th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-24612 is a critical-severity Command Injection (CWE-77) vulnerability in Pdfbook Project Pdfbook. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The PdfBook extension for MediaWiki, through version 2.0.5 prior to commit b07b6a64, contains a command-injection flaw (CWE-77) that can be triggered through an option passed to the PDF-generation process. The vulnerability received a CVSS 3.1 base score of 9.8, reflecting network-accessible, unauthenticated exploitation with no user interaction required.

An attacker able to reach a MediaWiki instance using the affected extension can supply a malicious option value that results in arbitrary operating-system command execution, thereby obtaining full control over the confidentiality, integrity, and availability of the underlying server.

The referenced merge request implements the corrective change that eliminates the unsanitized option handling; administrators should update PdfBook to a revision at or after b07b6a64.

EPSS remains low and unchanged at 0.0721 with no reported rise after disclosure.

EU & UK References

Vulnerability details

The PdfBook extension through 2.0.5 before b07b6a64 for MediaWiki allows command injection via an option.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pdfbook project
pdfbook
≤ 2.0.5

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References