Highchiuchiusorin

**Name of the Vulnerable Software and Affected Versions** macro-pdfviewer versions prior to 2.5.6 **Description** The macro-pdfviewer, a PDF Viewer Macro for XWiki using Mozilla pdf.js, has a vulnerability that allows an attacker to view any attachment using the "Delegate my view right" feature. This can be achieved as long as the attacker can view a page whose last author has access to the attachment. The attacker needs to provide the reference to a PDF file to the macro, which can be obtained by accessing the Page Index, Attachments tab, and inspecting the HTTP request that fetches the live data entries. The attachment URL is available in the returned JSON for all attachments, including protected ones. **Recommendations** For versions prior to 2.5.6, update to version 2.5.6 to fix the vulnerability. As a temporary workaround, consider restricting access to the "Delegate my view right" feature until the update is applied. Additionally, restrict access to the Page Index, Attachments tab, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** macro-pdfviewer versions prior to 2.5.1 **Description** The macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Users with edit rights can access restricted PDF attachments using the PDF Viewer macro by passing the attachment URL as the value of the `file` parameter. Additionally, users with view rights can access restricted PDF attachments if they are shown on public pages where the PDF Viewer macro is called using the attachment URL instead of its reference. **Recommendations** For versions prior to 2.5.1, update to version 2.5.1 to resolve the issue. As a temporary workaround, consider restricting access to the PDF Viewer macro for users with edit and view rights until the update is applied. Avoid using the `file` parameter in the PDF Viewer macro to access restricted PDF attachments until the issue is resolved.