CVE-2024-52299
Published: 13 November 2024
Summary
CVE-2024-52299 is a high-severity Generation of Predictable Numbers or Identifiers (CWE-340) vulnerability in Xwiki Pdf Viewer Macro. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-45837
Vulnerability details
macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Any user with view right on XWiki.PDFViewerService can access any attachment stored in the wiki as the "key" that is passed to prevent this is computed incorrectly, calling skip…
more
on the digest stream doesn't update the digest. This is fixed in 2.5.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in XWiki's PDFViewerService enables bypassing attachment access controls via flawed key computation, allowing unauthorized file access and discovery (e.g., via Page Index JSON listing protected attachments), exploitation of a public-facing wiki application, and collection of data from information repositories.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Controlled key-establishment processes produce unpredictable key values instead of values derived from observable or guessable state.