Date Published: Feb 24 2025
A Cross-Site Scripting (XSS) vulnerability has been identified in Apryse WebViewer versions up to and including 11.1. This vulnerability allows remote attackers to execute arbitrary JavaScript code by supplying a crafted PDF file. The issue arises due to improper sanitization of user-supplied input during PDF rendering.
- Product Name: Apryse WebViewer
- Affected Versions: All versions up to and including 11.1
- Component: PDF Rendering Engine
- Type: Cross-Site Scripting (XSS)
An attacker can exploit this vulnerability by creating a malicious PDF file containing embedded JavaScript code. When a user opens this PDF using Apryse WebViewer, the malicious code executes in the context of the user's browser. This can lead to:
- Arbitrary Code Execution: Execution of attacker-controlled scripts.
- Session Hijacking: Theft of session cookies, potentially compromising user accounts.
- Unauthorized Actions: Performing actions with the privileges of the affected user.
- Remote Attack: The attacker supplies a crafted PDF file to the victim.
- User Interaction: The victim needs to open the malicious PDF using Apryse WebViewer.
This vulnerability enables attackers to:
- Execute arbitrary code in the context of the user's browser.
- Access sensitive information, such as session cookies.
- Perform unauthorized actions on behalf of the user.
- Potentially escalate privileges within the application.
A crafted PDF file with embedded JavaScript demonstrates the vulnerability. When uploaded to showcase.apryse.com and rendered by WebViewer, the script executes, confirming the XSS flaw.
Note: Detailed exploit code and proof-of-concept files have been responsibly disclosed to the vendor to prevent misuse.
Payload Source: The payload was obtained from this repository. Original discovery & Credits go to @luigigubello , Also , Apryse have a well-written blog post on https://apryse.com/blog-regarding-xss-vulnerabilities-in-webviewer
Apryse has addressed this vulnerability in subsequent updates. Users should:
- Update Apryse WebViewer to the latest version where this vulnerability has been fixed.
- Implement Content Security Policy (CSP): Ensure CSP headers are properly configured to mitigate XSS attacks.
- Vendor Website: https://apryse.com
- Product Information: https://apryse.com/products/webviewer
This vulnerability was discovered and reported by Mahadev Subedi (X : @blinkms).
- Date of Discovery: October 22, 2024
- Reported to Vendor: October 22, 2024 via vulnerability reporting form
- Vendor Acknowledgment Received: *Nov 20, 2024 *
- Vendor Patch Released: * Jan 8, 2025 *
- **Public Disclosure:**Feb 24, 2025
- Base Score: 8.0 (High)
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
The information provided in this report is intended to inform users of the vulnerability so they may take appropriate action to protect their systems. Any use of this information for malicious purposes is strictly prohibited.
Hi @luigigubello ,
I was looking for your comment on it , and thought of clearing something you are eagerly wondering about :-
-- As far as you are concerned , I have been contributing to PDF rendering engines over last couple of years and apryse is one of them .
-- During regular research timeframe , I came to uncover the issue , https://apryse.com/blog-regarding-xss-vulnerabilities-in-webviewer , regarding report CVE-2024-29359, CVE-2024-4327 which is identical to this find . JS is intentionally enabled in webviewer without having cookies and session data to exfiltrated , a known xss was left over there for years .
-- Upon looking for changelog , recent features being added on Apryse WebViewer and insufficient fix / previous researcher failed to retest the issue , was discovered , from which it came to light.
-- XSS with potential impact leaving apryse webviewer users has been identified .
-- Reported to Apryse Security Team
-- Confirmed by Apryse Security Team as an unique issue
-- Also , I was notified previous findings with CVE pre-assigned , and well- examination of how this re-occurred .
Finally , I would like to thank Apryse Security Team and previous researchers uncovering and helping fix the issue in responsible disclosure manner .
Suggestion and Feedback to - devom378 (at) gmail.com