CVSS: 7.5EPSS: %CPEs: 1EXPL: 0CVE-2024-52299 – The PDF viewer macro allows accessing any attachment without access right checks
https://notcve.org/view.php?id=CVE-2024-52299
macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Any user with view right on XWiki.PDFViewerService can access any attachment stored in the wiki as the "key" that is passed to prevent this is computed incorrectly, calling skip on the digest stream doesn't update the digest. This is fixed in 2.5.6. • https://github.com/xwikisas/macro-pdfviewer/security/advisories/GHSA-522m-m242-jr9p • CWE-340: Generation of Predictable Numbers or Identifiers •
CVSS: 9.1EPSS: %CPEs: 1EXPL: 0CVE-2024-52300 – macro-pdfviewer has a XSS through the width parameter
https://notcve.org/view.php?id=CVE-2024-52300
macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The width parameter of the PDF viewer macro isn't properly escaped, allowing XSS for any user who can edit a page. XSS can impact the confidentiality, integrity and availability of the whole XWiki installation when an admin visits the page with the malicious code. This is fixed in 2.5.6. • https://github.com/xwikisas/macro-pdfviewer/security/advisories/GHSA-84wx-6vfp-5m6g • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42489 – Pro Macros Remote Code Execution via Viewpdf and similar macros
https://notcve.org/view.php?id=CVE-2024-42489
Pro Macros provides XWiki rendering macros. Missing escaping in the Viewpdf macro allows any user with view right on the `CKEditor.HTMLConverter` page or edit or comment right on any page to perform remote code execution. Other macros like Viewppt are vulnerable to the same kind of attack. This vulnerability is fixed in 1.10.1. • https://github.com/xwikisas/xwiki-pro-macros/blob/main/xwiki-pro-macros-ui/src/main/resources/Confluence/Macros/Viewpdf.xml#L265-L267 https://github.com/xwikisas/xwiki-pro-macros/commit/199553c84901999481a20614f093af2d57970eba https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-cfq3-q227-7j65 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30263 – The PDF Viewer macro can be used to view PDF attachments with restricted access
https://notcve.org/view.php?id=CVE-2024-30263
macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Users with edit rights can access restricted PDF attachments using the PDF Viewer macro, just by passing the attachment URL as the value of the ``file`` parameter. Users with view rights can access restricted PDF attachments if they are shown on public pages where the PDF Viewer macro is called using the attachment URL instead of its reference. This vulnerability has been patched in version 2.5.1. macro-pdfviewer es un macro de visor de PDF para XWiki que utiliza Mozilla pdf.js. Los usuarios con derechos de edición pueden acceder a archivos adjuntos PDF restringidos utilizando el macro Visor de PDF, simplemente pasando la URL del archivo adjunto como el valor del parámetro ``archivo``. • https://github.com/xwikisas/macro-pdfviewer/issues/49 https://github.com/xwikisas/macro-pdfviewer/security/advisories/GHSA-93qq-2h34-g29f • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26138 – License information is public, exposing instance id and license holder details
https://notcve.org/view.php?id=CVE-2024-26138
The XWiki licensor application, which manages and enforce application licenses for paid extensions, includes the document `Licenses.Code.LicenseJSON` that provides information for admins regarding active licenses. This document is public and thus exposes this information publicly. The information includes the instance's id as well as first and last name and email of the license owner. This is a leak of information that isn't supposed to be public. The instance id allows associating data on the active installs data with the concrete XWiki instance. • https://extensions.xwiki.org/xwiki/bin/view/Extension/Active%20Installs%202%20API https://github.com/xwikisas/application-licensing/commit/d168fb88fc0d121bf95e769ea21c55c00bebe5a6 https://github.com/xwikisas/application-licensing/security/advisories/GHSA-4hfp-m9gv-m753 • CWE-862: Missing Authorization •