| Title | apryse WebViewe 10.8.0 Cross Site Scripting |
|---|
| Description | The default WebViewer [https://www.npmjs.com/package/@pdftron/webviewer] deployments allow Embedded JavaScript within PDF which can lead to cross-site scripting XSS
I was able to replicate this issue on the WebViewer demo. To reproduce: Visit https://showcase.apryse.com/portfolio. Upload the attached PDF file. https://1drv.ms/b/s!AqJ7dHWS4CD_l0acw2hDjgo-C2zC?e=DOGPmq XSS will be triggered.
Vandor was contacted and they will fix the issue on the next release, by disabling the embedded javascript by default.
|
|---|
| User | hamza_g (UID 68030) |
|---|
| Submission | 04/23/2024 00:55 (2 years ago) |
|---|
| Moderation | 04/29/2024 21:40 (7 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 262419 [Apryse WebViewer up to 10.8.0 PDF Document cross site scripting] |
|---|
| Points | 17 |
|---|