CVE-2024-52298

Name of the Vulnerable Software and Affected Versions macro-pdfviewer versions prior to 2.5.6

Description The macro-pdfviewer, a PDF Viewer Macro for XWiki using Mozilla pdf.js, has a vulnerability that allows an attacker to view any attachment using the "Delegate my view right" feature. This can be achieved as long as the attacker can view a page whose last author has access to the attachment. The attacker needs to provide the reference to a PDF file to the macro, which can be obtained by accessing the Page Index, Attachments tab, and inspecting the HTTP request that fetches the live data entries. The attachment URL is available in the returned JSON for all attachments, including protected ones.

Recommendations For versions prior to 2.5.6, update to version 2.5.6 to fix the vulnerability. As a temporary workaround, consider restricting access to the "Delegate my view right" feature until the update is applied. Additionally, restrict access to the Page Index, Attachments tab, to minimize the risk of exploitation.