Cyber Resilience

CVE-2024-42346

High

Published: 20 September 2024

Published
20 September 2024
Modified
15 August 2025
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.1030 93.3th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-42346 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Galaxyproject Galaxy. Its CVSS base score is 7.6 (High).

Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Galaxy is an open-source platform for data analysis, workflow authoring, and related scientific computing tasks. CVE-2024-42346 is a stored cross-site scripting vulnerability (CWE-79) in the editor visualization feature at the /visualizations endpoint. The flaw allows an authenticated user to persist arbitrary HTML tags that execute JavaScript when the visualization is subsequently edited. The issue affects all supported Galaxy release branches back to 20.05.

An attacker with low-privileged network access can supply malicious markup through the affected endpoint. Because the payload requires no user interaction and executes in the context of other users who later edit the visualization, the attacker can achieve high-impact confidentiality exposure along with limited integrity and availability effects, consistent with the CVSS 7.6 rating.

The official Galaxy security advisory GHSA-x6w7-3gwf-qr9r states that patches addressing the issue have been applied to all maintained branches and recommends that administrators upgrade immediately. No workarounds are known.

EPSS for the CVE has remained flat at 0.1030 since disclosure, indicating no material increase in observed exploitation interest.

EU & UK References

Vulnerability details

Galaxy is a free, open-source system for analyzing data, authoring workflows, training and education, publishing tools, managing infrastructure, and more. The editor visualization, /visualizations endpoint, can be used to store HTML tags and trigger javascript execution upon edit operation. All…

more

supported branches of Galaxy (and more back to release_20.05) were amended with the supplied patches. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

galaxyproject
galaxy
≤ 24.1.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References