CVE-2024-42346
Published: 20 September 2024
Summary
CVE-2024-42346 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Galaxyproject Galaxy. Its CVSS base score is 7.6 (High).
Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Galaxy is an open-source platform for data analysis, workflow authoring, and related scientific computing tasks. CVE-2024-42346 is a stored cross-site scripting vulnerability (CWE-79) in the editor visualization feature at the /visualizations endpoint. The flaw allows an authenticated user to persist arbitrary HTML tags that execute JavaScript when the visualization is subsequently edited. The issue affects all supported Galaxy release branches back to 20.05.
An attacker with low-privileged network access can supply malicious markup through the affected endpoint. Because the payload requires no user interaction and executes in the context of other users who later edit the visualization, the attacker can achieve high-impact confidentiality exposure along with limited integrity and availability effects, consistent with the CVSS 7.6 rating.
The official Galaxy security advisory GHSA-x6w7-3gwf-qr9r states that patches addressing the issue have been applied to all maintained branches and recommends that administrators upgrade immediately. No workarounds are known.
EPSS for the CVE has remained flat at 0.1030 since disclosure, indicating no material increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-39564
Vulnerability details
Galaxy is a free, open-source system for analyzing data, authoring workflows, training and education, publishing tools, managing infrastructure, and more. The editor visualization, /visualizations endpoint, can be used to store HTML tags and trigger javascript execution upon edit operation. All…
more
supported branches of Galaxy (and more back to release_20.05) were amended with the supplied patches. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.