Access Control Vulnerability in PDF Viewer Macro for XWiki by XWiki SAS
CVE-2024-52298
7.5HIGH
Summary
The macro-pdfviewer for XWiki, which utilizes the Mozilla pdf.js library, contains a vulnerability that allows unauthorized access to protected PDF attachments through its 'Delegate my view right' feature. Attackers can exploit this flaw by providing a reference to a PDF file within the macro. If the attacker can access a page authored by a user who has permission to view the attachment, they can retrieve the URL of the protected file. Even pages that indicate 'N/A' may reveal sensitive information upon inspection of network requests, thereby exposing attachment URLs stored in JSON responses. This vulnerability compromises expected access controls and has been addressed in version 2.5.6 of the product.
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published