CVE-2024-33007

CVE-2024-33007 describes a security weakness in the SAPUI5 PDFViewer control (product SAPUI5). The root cause is that the PDFViewer, by default, renders PDF documents in an embedded mode that does not disable JavaScript execution. If a PDF file contains embedded JavaScript or other harmful client-side scripts, the viewer will execute them, which can lead to a security threat.

To exploit this vulnerability, an attacker must craft a malicious PDF containing embedded JavaScript and deliver it to a user. The user then needs to open the PDF document using the affected SAPUI5 PDFViewer. The CVSS v3 base score of 3.5 (Low) reflects the requirement for user interaction and the client-side nature of the attack.

Successful exploitation allows the attacker's JavaScript to run within the security context of the SAPUI5 application. This could enable actions such as accessing session data, modifying the DOM, or performing actions on behalf of the user, depending on the application's permissions.

SAP has addressed this vulnerability through its regular security patch process. Users and administrators should apply the relevant SAP Security Notes[1] to update the PDFViewer control to a version that disables or restricts JavaScript execution in PDF documents. As of publication, SAP recommends implementing the provided corrections at priority.