CVE-2024-52299: The PDF viewer macro allows accessing any attachment without access right checks
First published: Wed Nov 13 2024(Updated: )
macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Any user with view right on XWiki.PDFViewerService can access any attachment stored in the wiki as the "key" that is passed to prevent this is computed incorrectly, calling skip on the digest stream doesn't update the digest. This is fixed in 2.5.6.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xwiki Pdf Viewer Macro | <2.5.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-52299?
CVE-2024-52299 has been classified as a high severity vulnerability due to improper access controls in the PDF Viewer Macro.
How do I fix CVE-2024-52299?
To mitigate CVE-2024-52299, upgrade the XWiki PDF Viewer Macro to version 2.5.6 or later.
What impact does CVE-2024-52299 have on affected systems?
CVE-2024-52299 allows unauthorized users to access any attachment stored in the wiki if they have view rights on the XWiki.PDFViewerService.
Who is affected by CVE-2024-52299?
Any instance of XWiki running the PDF Viewer Macro prior to version 2.5.6 is affected by CVE-2024-52299.
What version of the PDF Viewer Macro is vulnerable to CVE-2024-52299?
CVE-2024-52299 affects all versions of the PDF Viewer Macro prior to 2.5.6.
- agent/weakness
- agent/title
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/author
- agent/severity
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- agent/source
- vendor/xwiki
- canonical/xwiki pdf viewer macro