CVE-2022-39016: Pdftron: avoid possible account takeover with XSS
DESCRIPTION:
PDF documents uploaded to Hubshare render dangerous URLs as hyperlinks in supported documents, including JavaScript URLs, allowing the execution of arbitrary JavaScript code.
The Hubshare application appears to use a vulnerable version of PDFTron Webviewer UI for document viewing, collaboration and annotation
Risk level: Critical
Fix: Upgrade to version 3.3.11.1 or later.
AFFECTED PRODUCTS:
* Hubshare
MORE INFORMATION:
The issue has been naturally fixed by upgrading the Pdftron Viewer library. No hubshare source code changes needed.
ACKNOWLEDGEMENT
We thank Michael Newton <[email protected]> for responsible disclosure.
Date issued: 2022-08
https://www.cve.org/CVERecord?id=CVE-2022-39016