Abstract Advisory Information
A script from the component is loading content using the URL TAGs without properly sanitizing it. This leads to both Open redirection & Out-of-band resource loading.
Impact: Open redirection & Out-of-band resource loading
Author: Alexis Pain
Version affected
Name: ViewerJS
Versions: 0.5.8
Common Vulnerability Scoring System
4.7
CVSS: 3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Patches
No patch available
References
- https://cds.thalesgroup.com/en/tcs-belgium-luxembourg/CVE-2024-25676
Vulnerability Disclosure Timeline
- 08/08/2023: Vulnerability discovery
- 29/08/2023: Vulnerability Report to CERT-XLM
- 12/09/2023: Vulnerability Report to Vendor
- 19/09/2023: Vulnerability Report to Vendor
- 26/09/2023: Called vendor, redirected us to an email address
- 03/10/2023: Vulnerability Report shared to the vendor
- 10/10/2023: Asked update to vendor
- 17/10/2023: Asked inform to the vendor
- 26/10/2023: Update Vendor
- 31/10/2023: Update Vender
- 14/11/2023: PoC sent to Vendor
- 21/11/2023: Update asked to the vendor
- 28/11/2023: Update asked to vendor
- 05/12/2023: Update asked to the vendor and remind the the deadline
- 12/12/2023: Update asked to the vendor
- 29/12/2023: Update asked to the vendor
- 16/01/2024: Request vendor avaibility for teams meeting
- 29/01/2024: Feedback vendor about meeting scheduling
- 29/01/2024: Teams meeting sent to the vendor for 31/01/2024
- 31/01/2024: Teams meeting done with spreeplan-it.de, vendor acknowledge vulnerability
- 31/01/2024: Mail sent to vendor following Teams meeting for telling our responsible disclosure
- 02/02/2024: Request CVE ID to Mitre
- 09/02/2024: CVE ID assigned Use CVE-2024-25676
- 13/02/2024: CVE ID CVE-2024-25676 notified to the Vendor spreeplan-it
- 05/03/2024: Fix date request to the Vendor spreeplan-it
- 20/02/2024: Fix date request to the Vendor spreeplan-it, viewerjs licence support
- 19/04/2024: Vendor notified about vulnerability disclosure
- 26/04/2024: Expected Vulnerability disclosure