XWiki PDF Viewer Macro Access Control Vulnerability
CVE-2024-52298 Published on November 13, 2024
macro-pdfviewer's preview in WYSIWYG editor allows accessing any PDF document as the last author
macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The PDF Viewer macro allows an attacker to view any attachment using the "Delegate my view right" feature as long as the attacker can view a page whose last author has access to the attachment. For this, the attacker only needs to provide the reference to a PDF file to the macro. To obtain the reference of the desired attachment, the attacker can access the Page Index, Attachments tab. Even if the UI shows N/A, the user can inspect the page and check the HTTP request that fetches the live data entries. The attachment URL is available in the returned JSON for all attachments, including protected ones and allows getting the necessary values. This vulnerability is fixed in version 2.5.6.
Vulnerability Analysis
CVE-2024-52298 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Inclusion of Sensitive Information in Source Code Comments
While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc. An attacker who finds these comments can map the application's structure and files, expose hidden parts of the site, and study the fragments of code to reverse engineer the application, which may help develop further attacks against the site.
Products Associated with CVE-2024-52298
stack.watch emails you whenever new vulnerabilities are published in Xwiki or Xwiki Pdf Viewer Macro. Just hit a watch button to start following.
Affected Versions
xwikisas macro-pdfviewer:- Version >= 1.6.2, < 2.5.6 is affected.
- Before and including 1.6.2 is affected.
- Before 2.5.6 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.