CVE-2024-30263 HIGH

CVE-2024-30263: The PDF Viewer macro can be used to view PDF attachments with restricted access

Vendor Xwikisas

Product macro-pdfviewer

Weakness CWE-200 · Info exposure

Published April 4, 2024

Last update August 21, 2024

View on NVD All CVEs

CVSS base score

7.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Users with edit rights can access restricted PDF attachments using the PDF Viewer macro, just by passing the attachment URL as the value of the ``file`` parameter. Users with view rights can access restricted PDF attachments if they are shown on public pages where the PDF Viewer macro is called using the attachment URL instead of its reference. This vulnerability has been patched in version 2.5.1.

Key dates

02Disclosure timeline

April 4, 2024 CVE published

August 21, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-30263 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

CVE-2024-30263: The PDF Viewer macro can be used to view PDF attachments with restricted access

01Description

02Disclosure timeline

03References

04Related CVE