CVE-2022-39016: Pdftron: avoid possible account takeover with XSS

DESCRIPTION:

PDF documents uploaded to Hubshare render dangerous URLs as hyperlinks in supported documents, including JavaScript URLs, allowing the execution of arbitrary JavaScript code.
The Hubshare application appears to use a vulnerable version of PDFTron Webviewer UI for document viewing, collaboration and annotation

Risk level: Critical

Fix: Upgrade to version 3.3.11.1 or later.

AFFECTED PRODUCTS:

* Hubshare

MORE INFORMATION:

The issue has been naturally fixed by upgrading the Pdftron Viewer library. No hubshare source code changes needed.

ACKNOWLEDGEMENT

We thank Michael Newton <[email protected]> for responsible disclosure.

Date issued: 2022-08

https://www.cve.org/CVERecord?id=CVE-2022-39016