Access Control Vulnerability in PDF Viewer Macro for XWiki by XWiki SAS
CVE-2024-52298

7.5HIGH

Key Information:

Vendor: Xwiki
Status: PDF Viewer Macro
Vendor: CVE Published:; 13 November 2024

What is CVE-2024-52298?

The macro-pdfviewer for XWiki, which utilizes the Mozilla pdf.js library, contains a vulnerability that allows unauthorized access to protected PDF attachments through its 'Delegate my view right' feature. Attackers can exploit this flaw by providing a reference to a PDF file within the macro. If the attacker can access a page authored by a user who has permission to view the attachment, they can retrieve the URL of the protected file. Even pages that indicate 'N/A' may reveal sensitive information upon inspection of network requests, thereby exposing attachment URLs stored in JSON responses. This vulnerability compromises expected access controls and has been addressed in version 2.5.6 of the product.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://github.com/xwikisas/macro-pdfviewer/security/advi...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 13, 2024

JSON

Xwiki

What is CVE-2024-52298?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.