CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52298 – macro-pdfviewer's preview in WYSIWYG editor allows accessing any PDF document as the last author
https://notcve.org/view.php?id=CVE-2024-52298
13 Nov 2024 — macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The PDF Viewer macro allows an attacker to view any attachment using the "Delegate my view right" feature as long as the attacker can view a page whose last author has access to the attachment. For this, the attacker only needs to provide the reference to a PDF file to the macro. To obtain the reference of the desired attachment, the attacker can access the Page Index, Attachments tab. Even if the UI shows N/A, the user can inspect the pa... • https://github.com/xwikisas/macro-pdfviewer/security/advisories/GHSA-hph4-7j37-7c97 • CWE-615: Inclusion of Sensitive Information in Source Code Comments •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52299 – The PDF viewer macro allows accessing any attachment without access right checks
https://notcve.org/view.php?id=CVE-2024-52299
13 Nov 2024 — macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Any user with view right on XWiki.PDFViewerService can access any attachment stored in the wiki as the "key" that is passed to prevent this is computed incorrectly, calling skip on the digest stream doesn't update the digest. This is fixed in 2.5.6. • https://github.com/xwikisas/macro-pdfviewer/security/advisories/GHSA-522m-m242-jr9p • CWE-340: Generation of Predictable Numbers or Identifiers •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52300 – macro-pdfviewer has a XSS through the width parameter
https://notcve.org/view.php?id=CVE-2024-52300
13 Nov 2024 — macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The width parameter of the PDF viewer macro isn't properly escaped, allowing XSS for any user who can edit a page. XSS can impact the confidentiality, integrity and availability of the whole XWiki installation when an admin visits the page with the malicious code. This is fixed in 2.5.6. • https://github.com/xwikisas/macro-pdfviewer/security/advisories/GHSA-84wx-6vfp-5m6g • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42489 – Pro Macros Remote Code Execution via Viewpdf and similar macros
https://notcve.org/view.php?id=CVE-2024-42489
12 Aug 2024 — Pro Macros provides XWiki rendering macros. Missing escaping in the Viewpdf macro allows any user with view right on the `CKEditor.HTMLConverter` page or edit or comment right on any page to perform remote code execution. Other macros like Viewppt are vulnerable to the same kind of attack. This vulnerability is fixed in 1.10.1. • https://github.com/xwikisas/xwiki-pro-macros/blob/main/xwiki-pro-macros-ui/src/main/resources/Confluence/Macros/Viewpdf.xml#L265-L267 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30263 – The PDF Viewer macro can be used to view PDF attachments with restricted access
https://notcve.org/view.php?id=CVE-2024-30263
04 Apr 2024 — macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Users with edit rights can access restricted PDF attachments using the PDF Viewer macro, just by passing the attachment URL as the value of the ``file`` parameter. Users with view rights can access restricted PDF attachments if they are shown on public pages where the PDF Viewer macro is called using the attachment URL instead of its reference. This vulnerability has been patched in version 2.5.1. macro-pdfviewer es un macro de visor de P... • https://github.com/xwikisas/macro-pdfviewer/issues/49 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26138 – License information is public, exposing instance id and license holder details
https://notcve.org/view.php?id=CVE-2024-26138
21 Feb 2024 — The XWiki licensor application, which manages and enforce application licenses for paid extensions, includes the document `Licenses.Code.LicenseJSON` that provides information for admins regarding active licenses. This document is public and thus exposes this information publicly. The information includes the instance's id as well as first and last name and email of the license owner. This is a leak of information that isn't supposed to be public. The instance id allows associating data on the active instal... • https://extensions.xwiki.org/xwiki/bin/view/Extension/Active%20Installs%202%20API • CWE-862: Missing Authorization •