CVE-2024-52300 Vulnerability Details

  /     /     /  

CVE-2024-52300 Metadata Quick Info

CVE Published: 13/11/2024 | CVE Updated: 13/11/2024 | CVE Year: 2024
Source: GitHub_M | Vendor: xwikisas | Product: macro-pdfviewer
Status : PUBLISHED

---

CVE-2024-52300 Description

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The width parameter of the PDF viewer macro isn\'t properly escaped, allowing XSS for any user who can edit a page. XSS can impact the confidentiality, integrity and availability of the whole XWiki installation when an admin visits the page with the malicious code. This is fixed in 2.5.6.

Metrics

CVSS Version: 3.1 | Base Score: 9.1 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* LOW
    User Interaction (UI)* REQUIRED
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* HIGH

Weakness Enumeration (CWE)

CWE-ID: CWE-80
CWE Name: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Source: xwikisas

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).