Lucene search

[email protected]CVE-2024-30263

HistoryApr 04, 2024 - 5:15 p.m.

CVE-2024-30263

2024-04-0417:15:10

CWE-200

[email protected]

web.nvd.nist.gov

cve-2024-30263

macro-pdfviewer

xwiki

mozilla pdf.js

pdf viewer macro

security vulnerability

patched

version 2.5.1

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

JSON

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Users with edit rights can access restricted PDF attachments using the PDF Viewer macro, just by passing the attachment URL as the value of the file parameter. Users with view rights can access restricted PDF attachments if they are shown on public pages where the PDF Viewer macro is called using the attachment URL instead of its reference. This vulnerability has been patched in version 2.5.1.

Affected configurations

Vulners

Node

xwikisasmacro_pdfviewerRange≤2.5.0

CNA Affected

[
  {
    "vendor": "xwikisas",
    "product": "macro-pdfviewer",
    "versions": [
      {
        "version": "<= 2.5.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/xwikisas/macro-pdfviewer/issues/49

github.com/xwikisas/macro-pdfviewer/security/advisories/GHSA-93qq-2h34-g29f

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for CVE-2024-30263

nvd1 cvelist1