XWiki PDF Viewer Macro Access Control Vulnerability
CVE-2024-52299 Published on November 13, 2024
The PDF viewer macro allows accessing any attachment without access right checks
macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Any user with view right on XWiki.PDFViewerService can access any attachment stored in the wiki as the "key" that is passed to prevent this is computed incorrectly, calling skip on the digest stream doesn't update the digest. This is fixed in 2.5.6.
Vulnerability Analysis
CVE-2024-52299 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Generation of Predictable Numbers or Identifiers
The product uses a scheme that generates numbers or identifiers that are more predictable than required.
Products Associated with CVE-2024-52299
stack.watch emails you whenever new vulnerabilities are published in Xwiki or Xwiki Pdf Viewer Macro. Just hit a watch button to start following.
Affected Versions
xwikisas macro-pdfviewer:- Version >= 1.6.2, < 2.5.6 is affected.
- Before and including 1.6.2 is affected.
- Before 2.5.6 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.