Description
Pro Macros provides XWiki rendering macros. Missing escaping in the Viewpdf macro allows any user with view right on the `CKEditor.HTMLConverter` page or edit or comment right on any page to perform remote code execution. Other macros like Viewppt are vulnerable to the same kind of attack. This vulnerability is fixed in 1.10.1.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-cfq3-q227-7j65
Patch x_refsource_misc
https://github.com/xwikisas/xwiki-pro-macros/commit/199553c84901999481a20614f093af2d57970eba
Scores
CVSS v3
10.0
EPSS
0.4540
EPSS Percentile
97.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-74
Status
published
Products (1)
xwiki/pro_macros
1.0 - 1.10.1
Published
Aug 12, 2024
Tracked Since
Feb 18, 2026