PDF documents uploaded to Hubshare render dangerous URLs as hyperlinks in supported documents, including JavaScript URLs, allowing the execution of arbitrary JavaScript code. The Hubshare application appears to use a vulnerable version of PDFTron Webviewer UI for document viewing, collaboration and annotation
* Hubshare
The issue has been naturally fixed by upgrading the Pdftron Viewer library. No hubshare source code changes needed.
We thank Michael Newton <mnewton@themissinglink.com.au> for responsible disclosure.
Date issued: 2022-08