CVE-2024-30263— The PDF Viewer macro can be used to view PDF attachments with restricted access
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-30263
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
The PDF Viewer macro can be used to view PDF attachments with restricted access
Source: NVD (National Vulnerability Database)
Vulnerability Description
macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Users with edit rights can access restricted PDF attachments using the PDF Viewer macro, just by passing the attachment URL as the value of the ``file`` parameter. Users with view rights can access restricted PDF attachments if they are shown on public pages where the PDF Viewer macro is called using the attachment URL instead of its reference. This vulnerability has been patched in version 2.5.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
PDF Viewer Macro 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
PDF Viewer Macro是XWiki SAS开源的一个宏。允许在 XWiki 页面内查看附加到 XWiki 页面的 PDF 文件。 PDF Viewer Macro 2.5及之前版本存在安全漏洞,该漏洞源于具有编辑权限的用户可以使用PDF Viewer宏访问受限制的PDF附件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| xwikisas | macro-pdfviewer | <= 2.5.0 | - |
II. Public POCs for CVE-2024-30263
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-30263
Please Login to view more intelligence information
- https://github.com/xwikisas/macro-pdfviewer/issues/49x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2024-30263
IV. Related Vulnerabilities
Same vendor: xwikisas
- CVE-2025-65036
XWiki Remote Macros vulnerable to remote code execution usin - CVE-2025-65089
XWiki view file macro: User can view content of office file - CVE-2025-54990
XWiki AdminTools application doesn't set permissions on the - CVE-2025-55730
XWiki Remote Macros vulnerable to remote code execution usin - CVE-2025-55729
XWiki Remote Macros vulnerable to remote code execution usin
Same weakness: CWE-200
- CVE-2026-42456
AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (ID - CVE-2026-41520
Cillium exposes sensitive information included in the cilium - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro - CVE-2026-43942
electerm: Full process.env exposed to renderer via window.pr - CVE-2026-42880
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Ext
V. Comments for CVE-2024-30263
No comments yet