While working on a security audit, our researcher has found a security weakness affecting PrizmDoc HTML5 Document Viewer 13.3 and all previous versions. This has been assigned with CVE-2018–15546.
PrizmDoc is a suite of web services that are accessed using REST APIs which provide document & image processing functionality for your application
In order to reproduce the issue, you need to have a pdf file with XSS payload, you can download one from below:
Now, all you need to upload the file into application and view the file using PrizmDoc viewer. Click on javascript link and XSS will execute.
Recommendation:
Vendor Released the Fix for the vulnerability in v13.4
References:
Timeline:
Jul 26, 2018 — Vulnerability Discovered
Jul 26, 2018 — Vulnerability Reported
Jul 27,2018 — Vulnerability Acknowledged by vendor
Jul 28,2018 — Vendor Response on Fix scheduled in September
September 10,2018 — Vulnerability Fixed