Cross-Site Scripting Vulnerability in XWiki's PDF Viewer Macro
CVE-2024-52300
9CRITICAL
Summary
The macro-pdfviewer, which serves as a PDF viewer macro for XWiki leveraging Mozilla pdf.js, contains a vulnerability stemming from improper escaping of the width parameter. This flaw enables cross-site scripting (XSS) attacks; any user with the ability to edit a page can inject malicious code. When an administrator views a page containing such malicious code, the integrity, confidentiality, and availability of the entire XWiki installation can be compromised. The issue is addressed in version 2.5.6 of the product.
References
CVSS V3.1
Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published