CVE-2024-4327

Vulnerability

Overview

CVE-2024-4327 is a problematic cross-site scripting (XSS) vulnerability found in Apryse WebViewer up to version 10.8.0. The flaw affects the PDF Document Handler component and can be triggered remotely. The vendor was contacted early and explains that the issue is addressed in release 10.9, and that a strict Content Security Policy (CSP) is recommended as a defense-in-depth measure [1].

Attack

Vector and Exploitation

The manipulation leads to XSS, but the description does not detail the specific input vector (e.g., stored or reflected). The attack requires no authentication and can be initiated over the network. An exploit has been disclosed publicly, increasing the risk of widespread use. The vendor's CSP documentation indicates that improper CSP settings (e.g., allowing unsafe-inline or unsafe-eval for script-src) can leave WebViewer vulnerable to such attacks [1].

Impact

Successful exploitation could allow an attacker to execute arbitrary JavaScript in the context of a user's session. This could lead to data theft, session hijacking, or other client-side attacks. The CVSS score of 3.5 (Low) reflects the need for user interaction or specific configurations, but the public disclosure elevates the practical risk.

Mitigation

Apryse released WebViewer 10.9 to fix the XSS vulnerability. Users should upgrade immediately. Additionally, applying the recommended strict CSP (e.g., script-src 'self' 'wasm-unsafe-eval' blob: without unsafe-inline) can mitigate exploitation in versions that cannot be upgraded immediately [1]. No workaround other than upgrading or enforcing CSP is documented.