CVE-2024-52300

Name of the Vulnerable Software and Affected Versions macro-pdfviewer versions prior to 2.5.6

Description The issue is related to the macro-pdfviewer PDF viewer macro for XWiki, which uses Mozilla pdf.js. The width parameter of the PDF viewer macro is not properly escaped, allowing for cross-site scripting (XSS) attacks for any user who can edit a page. This can impact the confidentiality, integrity, and availability of the whole XWiki installation when an admin visits the page with the malicious code.

Recommendations For versions prior to 2.5.6, update to version 2.5.6 to mitigate the security vulnerability. As a temporary workaround, consider restricting access to the width parameter in the PDF viewer macro until a patch is available. Avoid using the width parameter in the affected macro until the issue is resolved.