Cyber Resilience

CVE-2024-30372

Medium

Published: 22 November 2024

Published
22 November 2024
Modified
03 January 2025
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0712 91.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-30372 is a medium-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Alltena Allegra. Its CVSS base score is 6.3 (Medium).

Operationally, ranked in the top 8.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Allegra contains a server-side template injection vulnerability in the getLinkText method that permits remote code execution on affected installations. The flaw stems from insufficient validation of user-supplied input before it is processed by the template engine, allowing code execution in the context of the LOCAL SERVICE account. The issue was reported as ZDI-CAN-23609 and carries a CVSS 3.1 score of 6.3.

An authenticated remote attacker can supply a crafted string to the vulnerable method and achieve arbitrary code execution on the target system. No user interaction is required beyond valid credentials, and the attack can be performed over the network with low complexity.

Vendor release notes for Allegra 7.5.2 and the corresponding Zero Day Initiative advisory ZDI-24-1165 address the issue and indicate that an update resolves the template-injection flaw. The EPSS score remains low with negligible movement between its current value of 0.0712 and recorded peak of 0.0722.

EU & UK References

Vulnerability details

Allegra getLinkText Server-Side Template Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Allegra. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of getLinkText method.…

more

The issue results from the lack of proper validation of a user-supplied string before processing it with the template engine. An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. Was ZDI-CAN-23609.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

alltena
allegra
≤ 7.5.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References