The PDF Viewer macro can be used to view PDF attachments with restricted access
CVE-2024-30263

7.7HIGH

Key Information:

Vendor: Xwikisas
Status: Macro-PDFviewer
Vendor: CVE Published:; 4 April 2024

Summary

The macro-pdfviewer for XWiki, which employs Mozilla pdf.js, contains a vulnerability that permits users with edit rights to gain unauthorized access to restricted PDF attachments. This occurs by substituting the attachment URL into the file parameter. Furthermore, users possessing view rights can access these restricted PDFs if the macro is embedded within public-facing pages, thereby exposing sensitive information unintentionally. The issue has been addressed and resolved in version 2.5.1.

Affected Version(s)

macro-pdfviewer <= 2.5.0

References

https://github.com/xwikisas/macro-pdfviewer/security/advi...

x_refsource_CONFIRM

https://github.com/xwikisas/macro-pdfviewer/issues/49

x_refsource_MISC

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Apr 4, 2024