The PDF Viewer macro can be used to view PDF attachments with restricted access
CVE-2024-30263
7.7HIGH
What is CVE-2024-30263?
The macro-pdfviewer for XWiki, which employs Mozilla pdf.js, contains a vulnerability that permits users with edit rights to gain unauthorized access to restricted PDF attachments. This occurs by substituting the attachment URL into the file
parameter. Furthermore, users possessing view rights can access these restricted PDFs if the macro is embedded within public-facing pages, thereby exposing sensitive information unintentionally. The issue has been addressed and resolved in version 2.5.1.
Affected Version(s)
macro-pdfviewer <= 2.5.0