cbcvebase.
CVE-2024-30299
published 2024-06-13

CVE-2024-30299: Adobe Framemaker Publishing Server versions 2020.3, 2022.2 and earlier are affected by an Improper Authentication vulnerability that could result in privilege…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.05%
60.0th percentile
Adobe Framemaker Publishing Server versions 2020.3, 2022.2 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or elevated privileges within the application. Exploitation of this issue does not require user interaction.

Affected

4 ranges
VendorProductVersion rangeFixed in
adobeadobe_framemaker_publishing_server<= 2022.2
adobeframemaker_publishing_server< 20202020
adobeframemaker_publishing_server
adobeframemaker_publishing_server

Detection & IOCsextracted from sources · hover to see the quote

path/server/Queue
path/server/queue
path/server/tasks
processFrameMakerEx.exe
  • Detect unauthenticated HTTP requests to /server/Queue or /server/Task (mixed/upper case variants) on FMPS servers — these bypass the case-sensitive authentication check in login.js while still matching the case-insensitive Express router.
  • Alert on unauthenticated POST/GET requests to any /server/* path that uses mixed-case variants (e.g., /Server/, /SERVER/, /server/Task, /server/Queue) without a valid JWT Authorization header.
  • Monitor for new worker/client registrations via the /workeridentifier or /connParams endpoints from unexpected external IP addresses, as attackers can register a rogue FMPS worker to harvest tasks and JWT tokens.
  • Monitor the FMPS MongoDB 'stubFM' database users collection for unexpected reads or modifications of the accessToken field, which contains live JWT tokens for logged-in users.
  • Alert on upload of Windows batch files (.bat) via the FMPS pre-publish or post-publish script upload API endpoints (/server/tasks/pre/, /server/tasks/post/), especially from unauthenticated or anomalous sessions.
  • ·The authentication bypass only works because login.js performs case-sensitive string matching while Node.js Express routing is case-insensitive by default. Defenders should verify whether their FMPS deployment has case-sensitive routing enabled on Express, as that would close the bypass without patching.
  • ·The /connParams, /workeridentifier, /server, /connectionParameter, /auth/login, /auth/ldap, and /doxserver paths are explicitly configured to disable authentication in login.js — traffic to these endpoints is always unauthenticated by design and should be restricted at the network layer.
  • ·FMPS publication tasks may contain plaintext or encrypted credentials to external CMS systems (SharePoint, DitaExchange, Adobe Experience Manager). If the API is exposed, credential harvesting is possible without any further exploitation.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.