Vendor: PDFTron Vendor URL: https://www.pdftron.com/ Versions affected: WebViewer UI 8.0 or below Systems Affected: Web applications hosting the affected software Author: Liyun Li <liyun.li[at]nccgroup[dot]com> CVE Identifier: CVE-2021-39307
An attacker could steal a victim’s session tokens, log their keystrokes, steal private data, or perform privileged actions in the context of a victim’s session.
To reproduce this issue, first create the following HTML document and save the rendered content as PDF on a modern browser.
After that, use the “d” parameter to include the uploaded PDF file (e.g. http://webviewer-instance/#d=https://domain.tld/test.pdf).
Recommendation to Users
Upgrade WebViewer UI to 8.1, available at https://www.pdftron.com/documentation/web/download.
2021-08-16: Issue reported to PDFTron 2021-08-17: PDFTron confirmed the vulnerability 2021-08-23: PDFTron issued patch to nightly build 2021-09-09: PDFTron WebViewer 8.1 released 2021-09-14: Advisory released by NCC Group
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: September 14, 2021
Written by: Liyun Li