macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The width parameter of the PDF viewer macro isn't properly escaped, allowing XSS for any user who can edit a page. XSS can impact the confidentiality, integrity and availability of the whole XWiki installation when an admin visits the page with the malicious code. This is fixed in 2.5.6.
History

Mon, 18 Nov 2024 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Xwiki
Xwiki pdf Viewer Macro
Weaknesses CWE-79
CPEs cpe:2.3:a:xwiki:pdf_viewer_macro:*:*:*:*:pro:*:*:*
Vendors & Products Xwiki
Xwiki pdf Viewer Macro

Wed, 13 Nov 2024 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Xwikisas
Xwikisas macro Pdfviewer
CPEs cpe:2.3:a:xwikisas:macro_pdfviewer:*:*:*:*:*:*:*:*
Vendors & Products Xwikisas
Xwikisas macro Pdfviewer
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 13 Nov 2024 15:45:00 +0000

Type Values Removed Values Added
Description macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The width parameter of the PDF viewer macro isn't properly escaped, allowing XSS for any user who can edit a page. XSS can impact the confidentiality, integrity and availability of the whole XWiki installation when an admin visits the page with the malicious code. This is fixed in 2.5.6.
Title macro-pdfviewer has a XSS through the width parameter
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-11-13T15:24:59.125Z

Updated: 2024-11-13T19:10:59.349Z

Reserved: 2024-11-06T19:00:26.396Z

Link: CVE-2024-52300

cve-icon Vulnrichment

Updated: 2024-11-13T19:10:52.296Z

cve-icon NVD

Status : Analyzed

Published: 2024-11-13T16:15:20.240

Modified: 2024-11-18T17:29:46.807

Link: CVE-2024-52300

cve-icon Redhat

No data.