8.8

CVE-2024-4367

PDF.js < 4.2.67 - Arbitrary JavaScript Execution

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
Mögliche Gegenmaßnahme
DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer: Update to version 1.15.6, or a newer patched version
ARI Fancy Lightbox – Popup for WordPress: Update to version 1.3.15, or a newer patched version
BSK PDF Manager: Update to version 3.6.1, or a newer patched version
EmbedPress – PDF Embedder, 3D PDF FlipBook, Google Reviews, YouTube Videos, Upload & Embed PDF documents: Update to version 4.0.3, or a newer patched version
PDF Embedder: Update to version 4.8.0, or a newer patched version
PDF Poster – Display PDF Files with Custom Viewer: Update to version 2.1.22, or a newer patched version
PDF Viewer for Elementor: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
PDF viewer for Elementor & Gutenberg: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
PDF.js Viewer: Update to version 2.2, or a newer patched version
Tainacan: Update to version 0.21.6, or a newer patched version
Wonder PDF Embed: Update to version 2.8, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MozillaFirefox SwEditionesr Version < 115.11.0
MozillaFirefox SwEdition- Version < 126.0
MozillaThunderbird Version < 115.11.0
DebianDebian Linux Version10.0
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Update-
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision10
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision11
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision12
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision13
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision14
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision15
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision16
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision17
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision18
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision19
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision20
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision21
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision22
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision23
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision24
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision25
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision26
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision27
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision28
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision29
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision3
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision30
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision31
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision32
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision33
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision34
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision35
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision36
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision37
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision38
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision39
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision4
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision40
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision41
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision42
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision43
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision44
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision5
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision6
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision7
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision8
Open-xchangeOpen-xchange Appsuite Frontend Version7.10.6 Updaterevision9
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer
Version *-1.15.5
SystemWordPress Plugin
Produkt ARI Fancy Lightbox – Popup for WordPress
Version *-1.3.14
SystemWordPress Plugin
Produkt BSK PDF Manager
Version *-3.6
SystemWordPress Plugin
Produkt EmbedPress – PDF Embedder, 3D PDF FlipBook, Google Reviews, YouTube Videos, Upload & Embed PDF documents
Version *-4.0.2
SystemWordPress Plugin
Produkt PDF Embedder
Version *-4.7.1
SystemWordPress Plugin
Produkt PDF Poster – Display PDF Files with Custom Viewer
Version *-2.1.21
SystemWordPress Plugin
Produkt PDF Viewer for Elementor
Version *-2.9.3
SystemWordPress Plugin
Produkt PDF viewer for Elementor & Gutenberg
Version *-1.3.2
SystemWordPress Plugin
Produkt PDF.js Viewer
Version *-2.1.8.1
SystemWordPress Plugin
Produkt Tainacan
Version *-0.21.5
SystemWordPress Plugin
Produkt Wonder PDF Embed
Version *-2.7
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 72.65% 0.994
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.6 2.2 3.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE-754 Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
Issue Tracking
https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html
Mailing List
https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html
Mailing List
https://www.mozilla.org/security/advisories/mfsa2024-21/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-22/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-23/
Vendor Advisory
http://seclists.org/fulldisclosure/2024/Aug/30
Mailing List
https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
https://github.com/gogs/gogs/issues/7928
https://github.com/mozilla/pdf.js/releases/tag/v4.2.67
https://www.exploit-db.com/exploits/52273
https://cert-portal.siemens.com/productcert/html/ssa-827383.html
https://www.wordfence.com/threat-intel/vulnerabilities/id/8ce7aa01-7e79-4048-a84d-fcb9541d5f8b
Third Party Advisory