CVE-2024-30263

Published: Apr 4, 2024

Modified: Aug 21, 2024

PUBLISHED

CVSS v3.1

7.7

HIGH

Description

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Users with edit rights can access restricted PDF attachments using the PDF Viewer macro, just by passing the attachment URL as the value of the ``file`` parameter. Users with view rights can access restricted PDF attachments if they are shown on public pages where the PDF Viewer macro is called using the attachment URL instead of its reference. This vulnerability has been patched in version 2.5.1.

Vendor	Product	Versions
xwikisas	macro-pdfviewer	affected `<= 2.5.0`

Weaknesses (CWE)

CWE-200

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/xwikisas/macro-pdfviewer/security/advisories/GHSA-93qq-2h34-g29f

x_refsource_CONFIRM

https://github.com/xwikisas/macro-pdfviewer/issues/49

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-30263

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References