macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The PDF Viewer macro allows an attacker to view any attachment using the "Delegate my view right" feature as long as the attacker can view a page whose last author has access to the attachment. For this, the attacker only needs to provide the reference to a PDF file to the macro. To obtain the reference of the desired attachment, the attacker can access the Page Index, Attachments tab. Even if the UI shows N/A, the user can inspect the page and check the HTTP request that fetches the live data entries. The attachment URL is available in the returned JSON for all attachments, including protected ones and allows getting the necessary values. This vulnerability is fixed in version 2.5.6.
Metrics
Affected Vendors & Products
References
History
Mon, 18 Nov 2024 17:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Xwiki
Xwiki pdf Viewer Macro |
|
Weaknesses | NVD-CWE-noinfo | |
CPEs | cpe:2.3:a:xwiki:pdf_viewer_macro:*:*:*:*:pro:*:*:* | |
Vendors & Products |
Xwiki
Xwiki pdf Viewer Macro |
Wed, 13 Nov 2024 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Xwikisas
Xwikisas macro Pdfviewer |
|
CPEs | cpe:2.3:a:xwikisas:macro_pdfviewer:*:*:*:*:*:*:*:* | |
Vendors & Products |
Xwikisas
Xwikisas macro Pdfviewer |
|
Metrics |
ssvc
|
Wed, 13 Nov 2024 16:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The PDF Viewer macro allows an attacker to view any attachment using the "Delegate my view right" feature as long as the attacker can view a page whose last author has access to the attachment. For this, the attacker only needs to provide the reference to a PDF file to the macro. To obtain the reference of the desired attachment, the attacker can access the Page Index, Attachments tab. Even if the UI shows N/A, the user can inspect the page and check the HTTP request that fetches the live data entries. The attachment URL is available in the returned JSON for all attachments, including protected ones and allows getting the necessary values. This vulnerability is fixed in version 2.5.6. | |
Title | macro-pdfviewer's preview in WYSIWYG editor allows accessing any PDF document as the last author | |
Weaknesses | CWE-615 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-11-13T15:42:42.501Z
Updated: 2024-11-13T19:06:04.381Z
Reserved: 2024-11-06T19:00:26.395Z
Link: CVE-2024-52298
Vulnrichment
Updated: 2024-11-13T19:05:57.724Z
NVD
Status : Analyzed
Published: 2024-11-13T16:15:19.713
Modified: 2024-11-18T17:29:27.170
Link: CVE-2024-52298
Redhat
No data.