SkewbedH1:819863Nextcloud: XSS in PDF Viewer
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.024 Low
EPSS
Percentile
88.3%
An outdated version of PDF.js in use allows for the CVE-2018-5158 vulnerability.
When the payload PDF is shown in the supplied PDF viewer, it can execute arbitrary JavaScript.
I have tested the payload PDF, and it is working in the Safari 13.0.5 (the latest version) and Firefox 74.0 (the latest version). Although, it does not work in the latest version of Chrome.
I could not find a way to test it on the desktop client. I assume that it would use the system PDF viewer.
Modifying the payload to fetch other code was luckily blocked because of a CORS policy.
The payload is from https://bugzilla.mozilla.org/show_bug.cgi?id=1452075.
I have also included the PDF in the attachments.
The payload can be seen in action by checking the JavaScript console. It says “Hello, this is code running in” followed by the path to file where the vulnerability is.
Impact
An attacker could execute arbitrary JavaScript code on a web browser when a PDF containing an exploit is opened.
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.024 Low
EPSS
Percentile
88.3%