CVE-2024-52300

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE-80)

Published: Nov 13, 2024 / Updated: 6d ago

010
CVSS 9EPSS 0.04%Critical
CVE info copied to clipboard

Summary

A vulnerability in the macro-pdfviewer, a PDF Viewer Macro for XWiki using Mozilla pdf.js, has been identified. The width parameter of the PDF viewer macro is not properly escaped, which allows for Cross-Site Scripting (XSS) attacks. This vulnerability can be exploited by any user who has the ability to edit a page.

Impact

The impact of this vulnerability is severe. It can affect the confidentiality, integrity, and availability of the entire XWiki installation if an admin visits a page containing malicious code. The CVSS v3.1 base score is 9.0, indicating a critical severity level. The attack vector is network-based, requires low attack complexity, and only low privileges. While user interaction is required, the scope is changed, meaning the vulnerable component impacts resources beyond its security scope. The impact on confidentiality, integrity, and availability is high across all three aspects.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. This vulnerability has been fixed in version 2.5.6 of macro-pdfviewer.

Mitigation

1. Update macro-pdfviewer to version 2.5.6 or later. 2. If immediate updating is not possible, restrict edit access to trusted users only. 3. Implement strong input validation and output encoding for the width parameter. 4. Use Content Security Policy (CSP) headers to mitigate XSS attacks. 5. Regularly audit and sanitize user-generated content. 6. Educate administrators about the risks of visiting untrusted pages with their privileged access.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-52300

Nov 13, 2024 at 4:15 PM
CVSS

A CVSS base score of 9 has been assigned.

Nov 13, 2024 at 4:26 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-52300. See article

Nov 13, 2024 at 4:27 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 13, 2024 at 4:27 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.1%)

Nov 15, 2024 at 6:34 AM
Static CVE Timeline Graph

Affected Systems

Xwiki/pdf_viewer_macro
+null more

Attack Patterns

CAPEC-18: XSS Targeting Non-Script Elements
+null more

News

NA - CVE-2024-52300 - macro-pdfviewer is a PDF Viewer Macro for XWiki...
macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The width parameter of the PDF viewer macro isn't properly escaped, allowing XSS for any user who can edit a page. XSS can...
CVE-2024-52300 | xwikisas macro-pdfviewer up to 2.5.5 PDF Viewer Macro width cross site scripting (GHSA-84wx-6vfp-5m6g)
A vulnerability was found in xwikisas macro-pdfviewer up to 2.5.5 and classified as problematic . This issue affects some unknown processing of the component PDF Viewer Macro . The manipulation of the argument width leads to basic cross site scripting. The identification of this vulnerability is CVE-2024-52300 . The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.
CVE-2024-52300 - XWiki PDF Viewer Macro Stored Cross-Site Scripting November 13, 2024 at 04:15PM https:// ift.tt/gTn9y12 # CVE # IOC # CTI # ThreatIntelligence # ThreatIntel # Cybersecurity # Recon
CVE-2024-52300 - XWiki PDF Viewer Macro Stored Cross-Site Scripting
CVE ID : CVE-2024-52300 Published : Nov. 13, 2024, 4:15 p.m. 48 minutes ago Description : macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The width parameter of the PDF viewer macro isn't properly escaped, allowing XSS for any user who can edit a page. XSS can impact the confidentiality, integrity and availability of the whole XWiki installation when an admin visits the page with the malicious code. This is fixed in 2.5.6.
CVE-2024-52300
macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The width parameter of the PDF viewer macro isn't properly escaped, allowing XSS for any user who can edit a page. XSS can impact the confidentiality, integrity and availability of the whole XWiki installation when an admin visits the page with the malicious code. This is fixed in 2.5.6.
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI