CVE-2024-52300 CRITICAL

CVE-2024-52300: macro-pdfviewer has a XSS through the width parameter

Vendor Xwikisas
Product macro-pdfviewer
Weakness CWE-80 · XSS · basic
Published November 13, 2024
Last update November 13, 2024

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The width parameter of the PDF viewer macro isn't properly escaped, allowing XSS for any user who can edit a page. XSS can impact the confidentiality, integrity and availability of the whole XWiki installation when an admin visits the page with the malicious code. This is fixed in 2.5.6.

Key dates

02Disclosure timeline

November 13, 2024 CVE published
November 13, 2024 Record updated