Apryse WebViewer Cross-Site Scripting Vulnerability

A Cross-Site Scripting (XSS) vulnerability exists in Apryse WebViewer versions 11.1 and earlier, specifically within the PDF Rendering Engine component. This vulnerability allows remote attackers to execute arbitrary JavaScript by crafting a malicious PDF file. The issue stems from inadequate input sanitization during the rendering process.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary code in the context of the user's browser, access to sensitive information such as session cookies, and the ability to perform unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, upload a crafted PDF file containing embedded JavaScript into the Apryse WebViewer. The malicious script will execute, confirming the presence of the XSS vulnerability.

Remediation

Users are advised to update Apryse WebViewer to the latest version, where this vulnerability has been fixed. Additionally, implementing a Content Security Policy (CSP) can help mitigate XSS attacks.