Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-6125: JavaScript Code Execution in PDF in suitecrm

Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.

CVE
Open in Source
#vulnerability#git#java#pdf

Description

The application accepts PDF files with JavaScript code embedded which results in JavaScript code injection and execution. This vulnerability allows the adversary to upload PDF files with malicious content and execute them.

Proof of Concept

1. Login as a user
2. Go to Collaboration > Documents > Create Documents
3. Upload a malicious PDF file and click save
4. Go to another user account (could be admin) and view the same file and the payload will get executed
5. Repeat the same process for another malicious file

POC Video

Malicious PDF File 1

Malicious PDF File 2

JavaScript Code of Malicious PDF File 1

JavaScript Code of Malicious PDF File 2

This has been also tested on the demo. Demo POC

Impact

This vulnerability leads to JavaScript Code Execution which could make arbitrary changes to the content of the uploaded PDF and much more.

More vulnerabilities could occur according to the information mentioned here: PDF Functions

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE