CVE-2024-42489
Published: 12 August 2024
Summary
CVE-2024-42489 is a critical-severity Injection (CWE-74) vulnerability in Xwiki Pro Macros. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-42489 is a remote code execution vulnerability in the Pro Macros extension for XWiki, which supplies Confluence-compatible rendering macros. The root cause is missing output escaping in the Viewpdf macro (and similarly in Viewppt and related macros), specifically within the handling of user-supplied content passed to the CKEditor.HTMLConverter page. The flaw is tracked as CWE-74 and carries a CVSS 3.1 score of 10.0.
Any unauthenticated or low-privileged user who can view the CKEditor.HTMLConverter page, or who holds edit or comment rights on any page, can supply crafted input that results in arbitrary code execution on the server. The attack requires no user interaction and can be performed over the network.
The vulnerability is fixed in Pro Macros version 1.10.1. The project security advisory and the associated commit on GitHub document the addition of proper escaping at the affected template locations in Viewpdf.xml and related files.
The EPSS score reached 0.4540 at disclosure and has remained at that level without further increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-39643
Vulnerability details
Pro Macros provides XWiki rendering macros. Missing escaping in the Viewpdf macro allows any user with view right on the `CKEditor.HTMLConverter` page or edit or comment right on any page to perform remote code execution. Other macros like Viewppt are…
more
vulnerable to the same kind of attack. This vulnerability is fixed in 1.10.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.