CVE-2024-42489

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-42489
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-42489.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-42489
Aliases
  • GHSA-cfq3-q227-7j65
Published
2024-08-12T15:49:18.935Z
Modified
2025-12-01T09:07:29.792645Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Pro Macros Remote Code Execution via Viewpdf and similar macros
Details

Pro Macros provides XWiki rendering macros. Missing escaping in the Viewpdf macro allows any user with view right on the CKEditor.HTMLConverter page or edit or comment right on any page to perform remote code execution. Other macros like Viewppt are vulnerable to the same kind of attack. This vulnerability is fixed in 1.10.1.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/42xxx/CVE-2024-42489.json",
    "cwe_ids": [
        "CWE-74"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/xwikisas/xwiki-pro-macros

Affected ranges

Type
GIT
Repo
https://github.com/xwikisas/xwiki-pro-macros
Events
Introduced
0f0c8079a4efeef5221b757ff499cd8f60ca5d5f
Fixed
a823071246993846aad88baa4e395c779859fcdc

Affected versions

xwiki-pro-macros-1.*
xwiki-pro-macros-1.0
xwiki-pro-macros-1.1
xwiki-pro-macros-1.1.1
xwiki-pro-macros-1.10
xwiki-pro-macros-1.2
xwiki-pro-macros-1.2.1
xwiki-pro-macros-1.2.2
xwiki-pro-macros-1.6
xwiki-pro-macros-1.6.1
xwiki-pro-macros-1.7
xwiki-pro-macros-1.7.1
xwiki-pro-macros-1.8
xwiki-pro-macros-1.8.1
xwiki-pro-macros-1.9.3
xwiki-pro-macros-parent-1.*
xwiki-pro-macros-parent-1.3
xwiki-pro-macros-parent-1.4
xwiki-pro-macros-parent-1.5
xwiki-pro-macros-parent-1.9
xwiki-pro-macros-parent-1.9.1
xwiki-pro-macros-parent-1.9.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-42489.json"