Regarding Cross-Site Scripting (XSS) Vulnerabilities in WebViewer SDK
By Apryse | 2024 May 02
2 min
Tags
security
product update
As one of the global leaders in document processing, our team at Apryse takes security extremely seriously. That’s why when a recent report came in about an internal software vulnerability within WebViewer, the Apryse Security and Development teams sprang into action; immediately confirming the vulnerability and releasing a patch in under 48 hours.
Existing WebViewer customers were informed via email on March 8th, of the new patch for improved security, as per our coordinated vulnerability disclosure process.
Since that date we have put in concerted efforts into this functionality of our software. In doing so; we have found additional areas with risk related to Cross-Site Scripting. In this newest release, we have made further improvements to reduce the risk of Cross-Site Scripting.
Any users still choosing to remain on WebViewer SDK versions released prior to May 1, 2024, and have not implemented our recommended Content Security Policy could be affected by attacks through Cross-Site Scripting vulnerabilities. The core trigger for these vulnerabilities requires user interaction via the opening of a malicious PDF file within an Apryse WebViewer editor (these files may contain malicious text equivalent to HTML & JavaScript in a PDF Text Field element, a PDF action, or something similar). While repercussions from this can generally be avoided with our recommended Content Security Policy in-place, and more generally by following safe malware practices such as only opening files from internal trusted users, it’s still recommended to update to a newer version of WebViewer for enhanced protection.
If your usage of WebViewer involves opening PDF files originating from, or uploaded by external parties, and links to these PDFs can be shared with other users to subsequently open via WebViewer, then we recommend upgrading WebViewer to one of the versions noted below.
Immediate Action
- If you have not already implemented WebViewer’s recommended Content Security Policy, please do so as soon as possible.
- Known vulnerabilities can be eliminated by updating your WebViewer version to any of the updated versions (released May 1, 2024). If you have recently updated, we still recommend you to upgrade to these newest versions below, or later versions, as it will address all known risks.:
10.9.0 - Direct Download - NPM
8.12.3 - Direct Download - NPM
7.3.6 - Direct Download - NPM
If you have any questions or concerns regarding report CVE-2024-29359, CVE-2024-4327 or any other security related inquiries, reach out to Apryse Support.
Tags
security
product update
Apryse
Share this post
