CVE-2024-30263

Name of the Vulnerable Software and Affected Versions macro-pdfviewer versions prior to 2.5.1

Description The macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Users with edit rights can access restricted PDF attachments using the PDF Viewer macro by passing the attachment URL as the value of the file parameter. Additionally, users with view rights can access restricted PDF attachments if they are shown on public pages where the PDF Viewer macro is called using the attachment URL instead of its reference.

Recommendations For versions prior to 2.5.1, update to version 2.5.1 to resolve the issue. As a temporary workaround, consider restricting access to the PDF Viewer macro for users with edit and view rights until the update is applied. Avoid using the file parameter in the PDF Viewer macro to access restricted PDF attachments until the issue is resolved.