CVE-2024-30372
Published: 22 November 2024
Summary
CVE-2024-30372 is a medium-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Alltena Allegra. Its CVSS base score is 6.3 (Medium).
Operationally, ranked in the top 8.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Allegra contains a server-side template injection vulnerability in the getLinkText method that permits remote code execution on affected installations. The flaw stems from insufficient validation of user-supplied input before it is processed by the template engine, allowing code execution in the context of the LOCAL SERVICE account. The issue was reported as ZDI-CAN-23609 and carries a CVSS 3.1 score of 6.3.
An authenticated remote attacker can supply a crafted string to the vulnerable method and achieve arbitrary code execution on the target system. No user interaction is required beyond valid credentials, and the attack can be performed over the network with low complexity.
Vendor release notes for Allegra 7.5.2 and the corresponding Zero Day Initiative advisory ZDI-24-1165 address the issue and indicate that an update resolves the template-injection flaw. The EPSS score remains low with negligible movement between its current value of 0.0712 and recorded peak of 0.0722.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-28293
Vulnerability details
Allegra getLinkText Server-Side Template Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Allegra. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of getLinkText method.…
more
The issue results from the lack of proper validation of a user-supplied string before processing it with the template engine. An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. Was ZDI-CAN-23609.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.