Vendor: PDFTron Vendor URL: https://www.pdftron.com/ Versions affected: WebViewer UI 8.0 or below Systems Affected: Web applications hosting the affected software Author: Liyun Li <liyun.li[at]nccgroup[dot]com> CVE Identifier: CVE-2021-39307
An attacker could steal a victim’s session tokens, log their keystrokes, steal private data, or perform privileged actions in the context of a victim’s session.
To reproduce this issue, first create the following HTML document and save the rendered content as PDF on a modern browser.
After that, use the “d” parameter to include the uploaded PDF file (e.g. http://webviewer-instance/#d=https://domain.tld/test.pdf).
Recommendation to Users
Upgrade WebViewer UI to 8.1, available at https://www.pdftron.com/documentation/web/download.
2021-08-16: Issue reported to PDFTron 2021-08-17: PDFTron confirmed the vulnerability 2021-08-23: PDFTron issued patch to nightly build 2021-09-09: PDFTron WebViewer 8.1 released 2021-09-14: Advisory released by NCC Group
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: September 14, 2021
Written by: Liyun Li