Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-4m3g-6r7g-jv4f: Arbitrary JavaScript execution due to using outdated libraries

Summary

gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript execution.

PoC

  1. Generate a pdf file with a malicious script in the fontmatrix. (This will run alert(‘XSS’).) poc.pdf

  2. Run the app. In this PoC, I’ve used the demo for a simple proof. 1

  3. Upload a PDF file containing the script. 2

  4. Check that the script is running. 3

Impact

Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering.

Mitigation

Upgrade the pdf.js to v4.2.67, which removes the vulnerability. (or set the option isEvalSupported to false.)

Reference

  1. https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
  2. https://github.com/mozilla/pdf.js/pull/18015
ghsa
Open in Source
#xss#csrf#vulnerability#js#git#java#pdf

Skip to content

Navigation Menu

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • GitHub Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles

    • Enterprise platform

      AI-powered developer platform

  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. GHSA-4m3g-6r7g-jv4f

Arbitrary JavaScript execution due to using outdated libraries

Low severity GitHub Reviewed Published Jun 4, 2024 in freddyaboulton/gradio-pdf • Updated Jun 5, 2024

Package

pip gradio_pdf (pip)

Affected versions

< 0.0.10

Description

Summary

gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript execution.

PoC

  1. Generate a pdf file with a malicious script in the fontmatrix. (This will run alert(‘XSS’).)
    poc.pdf

  2. Run the app. In this PoC, I’ve used the demo for a simple proof.

  3. Upload a PDF file containing the script.

  4. Check that the script is running.

Impact

Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering.

Mitigation

Upgrade the pdf.js to v4.2.67, which removes the vulnerability. (or set the option isEvalSupported to false.)

Reference

  1. https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
  2. mozilla/pdf.js#18015

References

  • GHSA-4m3g-6r7g-jv4f
  • freddyaboulton/gradio-pdf@67edd0c

Published to the GitHub Advisory Database

Jun 5, 2024

ghsa: Latest News

GHSA-pxg6-pf52-xh8x: cookie accepts cookie name, path, and domain with out of bounds characters
ghsa