CVE-2024-52300
📋 TL;DR
CVE-2024-52300 is a cross-site scripting (XSS) vulnerability in the macro-pdfviewer component for XWiki that allows attackers to inject malicious scripts via the width parameter. Any user with page editing privileges can exploit this vulnerability, potentially compromising the entire XWiki installation when an administrator views the malicious page. The vulnerability affects confidentiality, integrity, and availability of the XWiki platform.
💻 Affected Systems
- macro-pdfviewer for XWiki
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with edit privileges could execute arbitrary JavaScript in admin context, leading to complete compromise of the XWiki installation, data theft, account takeover, and potential server-side code execution.
Likely Case
Attackers with basic user accounts could steal session cookies, perform actions as other users, deface pages, or exfiltrate sensitive data from the XWiki instance.
If Mitigated
With proper input validation and output encoding, the XSS payload would be neutralized, preventing script execution and limiting impact to data display issues.
🎯 Exploit Status
Exploitation requires authenticated user with page editing permissions. The vulnerability is simple to exploit once discovered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.6
Vendor Advisory: https://github.com/xwikisas/macro-pdfviewer/security/advisories/GHSA-84wx-6vfp-5m6g
Restart Required: No
Instructions:
1. Update macro-pdfviewer extension to version 2.5.6 or later. 2. In XWiki, go to Extension Manager. 3. Check for updates and install macro-pdfviewer 2.5.6+. 4. Clear browser cache after update.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to sanitize width parameter inputs in the PDF viewer macro
Modify macro-pdfviewer source to escape HTML entities in width parameter before rendering
Content Security Policy
allImplement strict CSP headers to prevent XSS execution
Add 'Content-Security-Policy: script-src 'self'' header to XWiki configuration
🧯 If You Can't Patch
- Restrict page editing permissions to trusted users only
- Implement web application firewall rules to block XSS payloads in width parameters
🔍 How to Verify
Check if Vulnerable:
Check macro-pdfviewer version in XWiki Extension Manager. If version is below 2.5.6, the system is vulnerable.Check Version:
In XWiki, navigate to Extension Manager and check macro-pdfviewer versionVerify Fix Applied:
After updating to 2.5.6+, test by attempting to inject script via width parameter and verify it's properly escaped.📡 Detection & Monitoring
Log Indicators:
- Unusual width parameter values in PDF viewer macro requests
- JavaScript payloads in URL parameters
Network Indicators:
- HTTP requests with script tags or JavaScript in width parameter
SIEM Query:
source="xwiki" AND (url="*width=*<script*" OR url="*width=*javascript:*")