Home > Vulnerability Database > CVE-2024-52298

Mend.io Vulnerability Database

CVE-2024-52298

Good to know:

Date: November 13, 2024

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The PDF Viewer macro allows an attacker to view any attachment using the "Delegate my view right" feature as long as the attacker can view a page whose last author has access to the attachment. For this, the attacker only needs to provide the reference to a PDF file to the macro. To obtain the reference of the desired attachment, the attacker can access the Page Index, Attachments tab. Even if the UI shows N/A, the user can inspect the page and check the HTTP request that fetches the live data entries. The attachment URL is available in the returned JSON for all attachments, including protected ones and allows getting the necessary values. This vulnerability is fixed in version 2.5.6.

Language: Java

Severity Score

7.5

Related Resources (3)

Url: https://github.com/xwikisas/macro-pdfviewer/security/advisories/GHSA-hph4-7j37-7c97

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-52298

Url: https://www.mend.io/vulnerability-database/CVE-2024-52298

Severity Score

7.5

Weakness Type (CWE)

Inclusion of Sensitive Information in Source Code Comments

CWE-615

Top Fix

Upgrade Version

Upgrade to version macro-pdfviewer-2.5.6

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-52298

Good to know:

Date: November 13, 2024

Language: Java

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?