Cyber Resilience

CVE-2024-30054

Medium

Published: 14 May 2024

Published
14 May 2024
Modified
08 January 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.1222 94.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-30054 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Microsoft Powerbi-Javascript. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Microsoft Power BI Client JavaScript SDK contains an information disclosure vulnerability tracked as CVE-2024-30054. The flaw is rated 6.5 under CVSS 3.1 with an attack vector of network, low complexity, no required privileges, and required user interaction, resulting in high impact to confidentiality while leaving integrity and availability unaffected. It is associated with CWE-20 improper input validation.

An unauthenticated remote attacker can exploit the issue by supplying crafted input that a victim user interacts with, enabling unauthorized disclosure of sensitive information from affected Power BI client implementations. The attack does not require the attacker to be authenticated or to possess special privileges beyond the ability to reach the target over the network.

Microsoft has published an advisory for CVE-2024-30054 at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30054 that addresses mitigation steps and available updates.

The EPSS score for this CVE stands at 0.1222 with an identical recorded peak, indicating moderate but stable exploitation probability without evidence of a post-disclosure increase. No public reports of active exploitation or AI/ML-specific relevance have been noted in the available data.

EU & UK References

Vulnerability details

Microsoft Power BI Client JavaScript SDK Information Disclosure Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
powerbi-javascript
≤ 2.23.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References