macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Any user with view right on XWiki.PDFViewerService can access any attachment stored in the wiki as the "key" that is passed to prevent this is computed incorrectly, calling skip on the digest stream doesn't update the digest. This is fixed in 2.5.6.
History

Thu, 14 Nov 2024 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Xwikisas
Xwikisas macro Pdfviewer
CPEs cpe:2.3:a:xwikisas:macro_pdfviewer:*:*:*:*:*:*:*:*
Vendors & Products Xwikisas
Xwikisas macro Pdfviewer
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 13 Nov 2024 15:45:00 +0000

Type Values Removed Values Added
Description macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Any user with view right on XWiki.PDFViewerService can access any attachment stored in the wiki as the "key" that is passed to prevent this is computed incorrectly, calling skip on the digest stream doesn't update the digest. This is fixed in 2.5.6.
Title The PDF viewer macro allows accessing any attachment without access right checks
Weaknesses CWE-340
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-11-13T15:29:07.107Z

Updated: 2024-11-14T13:58:59.615Z

Reserved: 2024-11-06T19:00:26.395Z

Link: CVE-2024-52299

cve-icon Vulnrichment

Updated: 2024-11-14T13:58:54.437Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-13T16:15:19.990

Modified: 2024-11-13T17:01:16.850

Link: CVE-2024-52299

cve-icon Redhat

No data.