Vulnerability in PDF Viewer Macro for XWiki Affects User Data Access
CVE-2024-52299

7.5HIGH

Key Information:

Vendor: Xwiki
Status: PDF Viewer Macro
Vendor: CVE Published:; 13 November 2024

Summary

The macro-pdfviewer is a PDF Viewer Macro for XWiki, utilizing the Mozilla pdf.js library. A vulnerability exists that allows users with view permissions on XWiki.PDFViewerService to access any attachment stored in the wiki. This security flaw arises from an incorrect computation of the key used to restrict access, specifically through improper handling of the digest stream. As a result, unauthorized users may gain access to sensitive documents. This issue has been resolved in version 2.5.6, emphasizing the importance of updating to ensure data protection.

References

https://github.com/xwikisas/macro-pdfviewer/security/advi...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 13, 2024