CVE-2024-52299

Name of the Vulnerable Software and Affected Versions macro-pdfviewer versions prior to 2.5.6

Description The issue is related to the incorrect generation of keys in the implementation of the Simple Key-Management for Internet Protocol (SKIP) in the XWiki PDF Viewer Macro (Pro). This can allow a remote attacker to gain unauthorized access to protected information. Any user with view rights on XWiki.PDFViewerService can access any attachment stored in the wiki because the "key" that is passed to prevent this is computed incorrectly.

Recommendations For versions prior to 2.5.6, update to version 2.5.6 to resolve the issue. As a temporary workaround, consider restricting access to the XWiki.PDFViewerService to minimize the risk of exploitation.