Vulnerability Description
macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Users with edit rights can access restricted PDF attachments using the PDF Viewer macro, just by passing the attachment URL as the value of the ``file`` parameter. Users with view rights can access restricted PDF attachments if they are shown on public pages where the PDF Viewer macro is called using the attachment URL instead of its reference. This vulnerability has been patched in version 2.5.1.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/xwikisas/macro-pdfviewer/issues/49
- https://github.com/xwikisas/macro-pdfviewer/security/advisories/GHSA-93qq-2h34-g
- https://github.com/xwikisas/macro-pdfviewer/issues/49
- https://github.com/xwikisas/macro-pdfviewer/security/advisories/GHSA-93qq-2h34-g
FAQ
What is CVE-2024-30263?
CVE-2024-30263 is a vulnerability with a CVSS score of 7.7 (HIGH). macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Users with edit rights can access restricted PDF attachments using the PDF Viewer macro, just by passing the attachment URL as the...
How severe is CVE-2024-30263?
CVE-2024-30263 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-30263?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.