What is the severity of CVE-2024-52298?

CVE-2024-52298 is classified as a medium severity vulnerability.

How do I fix CVE-2024-52298?

To mitigate CVE-2024-52298, upgrade the XWiki PDF Viewer Macro to version 2.5.6 or later.

What type of attack is possible with CVE-2024-52298?

CVE-2024-52298 allows an attacker to view restricted attachments by exploiting the 'Delegate my view right' feature.

Which versions of XWiki PDF Viewer Macro are affected by CVE-2024-52298?

CVE-2024-52298 affects all versions of the XWiki PDF Viewer Macro prior to 2.5.6.

What is the primary consequence of CVE-2024-52298?

The primary consequence of CVE-2024-52298 is unauthorized access to sensitive PDF attachments.

Vulnerability/
CVE-2024-52298

high

7.5

CWE

615

13/11/2024

18/11/2024

CVE-2024-52298: macro-pdfviewer's preview in WYSIWYG editor allows accessing any PDF document as the last author

First published: Wed Nov 13 2024(Updated: )

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The PDF Viewer macro allows an attacker to view any attachment using the "Delegate my view right" feature as long as the attacker can view a page whose last author has access to the attachment. For this, the attacker only needs to provide the reference to a PDF file to the macro. To obtain the reference of the desired attachment, the attacker can access the Page Index, Attachments tab. Even if the UI shows N/A, the user can inspect the page and check the HTTP request that fetches the live data entries. The attachment URL is available in the returned JSON for all attachments, including protected ones and allows getting the necessary values. This vulnerability is fixed in version 2.5.6.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
XWiki PDF Viewer Macro	<2.5.6

Never miss a vulnerability like this again

Reference Links

https://github.com/xwikisas/macro-pdfviewer/security/advisories/GHSA-hph4-7j37-7c97

Frequently Asked Questions

What is the severity of CVE-2024-52298?
CVE-2024-52298 is classified as a medium severity vulnerability.
How do I fix CVE-2024-52298?
To mitigate CVE-2024-52298, upgrade the XWiki PDF Viewer Macro to version 2.5.6 or later.
What type of attack is possible with CVE-2024-52298?
CVE-2024-52298 allows an attacker to view restricted attachments by exploiting the 'Delegate my view right' feature.
Which versions of XWiki PDF Viewer Macro are affected by CVE-2024-52298?
CVE-2024-52298 affects all versions of the XWiki PDF Viewer Macro prior to 2.5.6.
What is the primary consequence of CVE-2024-52298?
The primary consequence of CVE-2024-52298 is unauthorized access to sensitive PDF attachments.

agent/title
agent/references
agent/weakness
agent/description
agent/type
agent/first-publish-date
agent/author
agent/severity
agent/event
collector/mitre-cve
source/MITRE
agent/last-modified-date
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/tags
agent/softwarecombine
agent/source
vendor/xwiki
canonical/xwiki pdf viewer macro

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.