Description
PDF documents uploaded to Hubshare render dangerous URLs as hyperlinks in supported documents, including JavaScript URLs, allowing the execution of arbitrary JavaScript code. The Hubshare application appears to use a vulnerable version of PDFTron Webviewer UI for document viewing, collaboration and annotation Risk level: Critical Fix: Upgrade to version 3.3.11.1 or later.
Affected products
Hubshare
More information
The issue has been naturally fixed by upgrading the Pdftron Viewer library. No hubshare source code changes needed. ACKNOWLEDGEMENT We thank Michael Newton <mnewton@themissinglink.com.au> for responsible disclosure.
