CVE-2024-52300

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The width parameter of the PDF viewer macro isn't properly escaped, allowing XSS for any user who can edit a page. XSS can impact the confidentiality, integrity and availability of the whole XWiki installation when an admin visits the page with the malicious code. This is fixed in 2.5.6.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/xwikisas/macro-pdfviewer/security/advisories/GHSA-84wx-6vfp-5m6g	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:xwiki:pdf_viewer_macro:*:*:*:*:pro:*:*:*

History

18 Nov 2024, 17:29

Type	Values Removed	Values Added
Summary		(es) macro-pdfviewer es una macro de visor de PDF para XWiki que utiliza Mozilla pdf.js. El parámetro width de la macro del visor de PDF no se escapa correctamente, lo que permite XSS para cualquier usuario que pueda editar una página. XSS puede afectar la confidencialidad, integridad y disponibilidad de toda la instalación de XWiki cuando un administrador visita la página con el código malicioso. Esto se solucionó en 2.5.6.
References	~~() https://github.com/xwikisas/macro-pdfviewer/security/advisories/GHSA-84wx-6vfp-5m6g -~~	() https://github.com/xwikisas/macro-pdfviewer/security/advisories/GHSA-84wx-6vfp-5m6g - Third Party Advisory
CPE		cpe:2.3:a:xwiki:pdf_viewer_macro:::::pro:::*
First Time		Xwiki pdf Viewer Macro Xwiki
CWE		CWE-79

13 Nov 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-13 16:15

Updated : 2024-11-18 17:29

NVD link : CVE-2024-52300

Mitre link : CVE-2024-52300

CVE.ORG link : CVE-2024-52300

JSON object : View

Products Affected

xwiki

pdf_viewer_macro

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

{"id": "CVE-2024-52300", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2024-11-13T16:15:20.240", "references": [{"url": "https://github.com/xwikisas/macro-pdfviewer/security/advisories/GHSA-84wx-6vfp-5m6g", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-80"}]}], "descriptions": [{"lang": "en", "value": "macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The width parameter of the PDF viewer macro isn't properly escaped, allowing XSS for any user who can edit a page. XSS can impact the confidentiality, integrity and availability of the whole XWiki installation when an admin visits the page with the malicious code. This is fixed in 2.5.6."}, {"lang": "es", "value": "macro-pdfviewer es una macro de visor de PDF para XWiki que utiliza Mozilla pdf.js. El par\u00e1metro width de la macro del visor de PDF no se escapa correctamente, lo que permite XSS para cualquier usuario que pueda editar una p\u00e1gina. XSS puede afectar la confidencialidad, integridad y disponibilidad de toda la instalaci\u00f3n de XWiki cuando un administrador visita la p\u00e1gina con el c\u00f3digo malicioso. Esto se solucion\u00f3 en 2.5.6."}], "lastModified": "2024-11-18T17:29:46.807", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xwiki:pdf_viewer_macro:*:*:*:*:pro:*:*:*", "vulnerable": true, "matchCriteriaId": "75E88265-41BB-488A-9003-7F7D65FF38F0", "versionEndExcluding": "2.5.6"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}