Skip to content

Instantly share code, notes, and snippets.

@devom3

devom3/CVE-2024-57240_Apryse_WebViewer_XSS.md

Last active March 17, 2025 14:59
Show Gist options
  • Save devom3/43c328e23ec854090ed555a13541ca94 to your computer and use it in GitHub Desktop.
Save devom3/43c328e23ec854090ed555a13541ca94 to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2024-57240: Cross-Site Scripting (XSS) Vulnerability in Apryse WebViewer <= 11.1
Raw
CVE-2024-57240_Apryse_WebViewer_XSS.md

CVE-2024-57240: Cross-Site Scripting (XSS) Vulnerability in Apryse WebViewer ≤ 11.1

Date Published: Feb 24 2025

Summary

A Cross-Site Scripting (XSS) vulnerability has been identified in Apryse WebViewer versions up to and including 11.1. This vulnerability allows remote attackers to execute arbitrary JavaScript code by supplying a crafted PDF file. The issue arises due to improper sanitization of user-supplied input during PDF rendering.

Affected Product

  • Product Name: Apryse WebViewer
  • Affected Versions: All versions up to and including 11.1
  • Component: PDF Rendering Engine

Vulnerability Type

  • Type: Cross-Site Scripting (XSS)

Vulnerability Details

An attacker can exploit this vulnerability by creating a malicious PDF file containing embedded JavaScript code. When a user opens this PDF using Apryse WebViewer, the malicious code executes in the context of the user's browser. This can lead to:

  • Arbitrary Code Execution: Execution of attacker-controlled scripts.
  • Session Hijacking: Theft of session cookies, potentially compromising user accounts.
  • Unauthorized Actions: Performing actions with the privileges of the affected user.

Attack Vector

  • Remote Attack: The attacker supplies a crafted PDF file to the victim.
  • User Interaction: The victim needs to open the malicious PDF using Apryse WebViewer.

Impact

This vulnerability enables attackers to:

  • Execute arbitrary code in the context of the user's browser.
  • Access sensitive information, such as session cookies.
  • Perform unauthorized actions on behalf of the user.
  • Potentially escalate privileges within the application.

Proof of Concept

A crafted PDF file with embedded JavaScript demonstrates the vulnerability. When uploaded to showcase.apryse.com and rendered by WebViewer, the script executes, confirming the XSS flaw.

Note: Detailed exploit code and proof-of-concept files have been responsibly disclosed to the vendor to prevent misuse.

Payload Source: The payload was obtained from this repository. Original discovery & Credits go to @luigigubello , Also , Apryse have a well-written blog post on https://apryse.com/blog-regarding-xss-vulnerabilities-in-webviewer

Solution

Apryse has addressed this vulnerability in subsequent updates. Users should:

  • Update Apryse WebViewer to the latest version where this vulnerability has been fixed.
  • Implement Content Security Policy (CSP): Ensure CSP headers are properly configured to mitigate XSS attacks.

References

Acknowledgments

This vulnerability was discovered and reported by Mahadev Subedi (X : @blinkms).

Timeline

  • Date of Discovery: October 22, 2024
  • Reported to Vendor: October 22, 2024 via vulnerability reporting form
  • Vendor Acknowledgment Received: *Nov 20, 2024 *
  • Vendor Patch Released: * Jan 8, 2025 *
  • **Public Disclosure:**Feb 24, 2025

CVSS Score

Disclaimer

The information provided in this report is intended to inform users of the vulnerability so they may take appropriate action to protect their systems. Any use of this information for malicious purposes is strictly prohibited.

Screenshot 2024-11-17 092517

@luigigubello
Copy link

luigigubello commented Feb 26, 2025
edited
Loading

LOL. Quite sure you just sent them my file payload9.pdf. Curious to read more details about the payload and why it works. If you found the bug you know why the payload works.

@devom3
Copy link
Author

devom3 commented Feb 26, 2025

Hi @luigigubello ,

I was looking for your comment on it , and thought of clearing something you are eagerly wondering about :-

-- As far as you are concerned , I have been contributing to PDF rendering engines over last couple of years and apryse is one of them .

-- During regular research timeframe , I came to uncover the issue , https://apryse.com/blog-regarding-xss-vulnerabilities-in-webviewer , regarding report CVE-2024-29359, CVE-2024-4327 which is identical to this find . JS is intentionally enabled in webviewer without having cookies and session data to exfiltrated , a known xss was left over there for years .

-- Upon looking for changelog , recent features being added on Apryse WebViewer and insufficient fix / previous researcher failed to retest the issue , was discovered , from which it came to light.

-- XSS with potential impact leaving apryse webviewer users has been identified .

-- Reported to Apryse Security Team

-- Confirmed by Apryse Security Team as an unique issue

-- Also , I was notified previous findings with CVE pre-assigned , and well- examination of how this re-occurred .

Finally , I would like to thank Apryse Security Team and previous researchers uncovering and helping fix the issue in responsible disclosure manner .

Suggestion and Feedback to - devom378 (at) gmail.com

@luigigubello
Copy link

Perfect, now it is fixed I am sure you can share a payload and how the vulnerability works :) But ehi, we know you sent just my payload and you don't know why it work :) I will write you an email so you can share it privately if you prefer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment