Chiuchiusorin

**Name of the Vulnerable Software and Affected Versions** Mocca Calendar versions prior to 2.15 **Description** The Mocca Calendar application is susceptible to a cross-site scripting (XSS) issue. This issue occurs through manipulation of the title field when viewing an event page. **Recommendations** Update Mocca Calendar to version 2.15 or later.

**Name of the Vulnerable Software and Affected Versions** macro-pdfviewer versions prior to 2.5.6 **Description** The issue is related to the incorrect generation of keys in the implementation of the Simple Key-Management for Internet Protocol (SKIP) in the XWiki PDF Viewer Macro (Pro). This can allow a remote attacker to gain unauthorized access to protected information. Any user with view rights on XWiki.PDFViewerService can access any attachment stored in the wiki because the "key" that is passed to prevent this is computed incorrectly. **Recommendations** For versions prior to 2.5.6, update to version 2.5.6 to resolve the issue. As a temporary workaround, consider restricting access to the XWiki.PDFViewerService to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** macro-pdfviewer versions prior to 2.5.6 **Description** The issue is related to the macro-pdfviewer PDF viewer macro for XWiki, which uses Mozilla pdf.js. The `width` parameter of the PDF viewer macro is not properly escaped, allowing for cross-site scripting (XSS) attacks for any user who can edit a page. This can impact the confidentiality, integrity, and availability of the whole XWiki installation when an admin visits the page with the malicious code. **Recommendations** For versions prior to 2.5.6, update to version 2.5.6 to mitigate the security vulnerability. As a temporary workaround, consider restricting access to the `width` parameter in the PDF viewer macro until a patch is available. Avoid using the `width` parameter in the affected macro until the issue is resolved.