first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
27
pdfjs/CVE-2024-4367/README.md
Normal file
27
pdfjs/CVE-2024-4367/README.md
Normal file
@@ -0,0 +1,27 @@
|
||||
# PDF.js Arbitrary JavaScript Code Execution (CVE-2024-4367)
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
PDF.js is a Portable Document Format (PDF) viewer that is built with HTML5.
|
||||
|
||||
In the PDF.js version prior to 4.1.392, a JavaScript code injection was found. This bug allows an attacker to execute arbitrary JavaScript code as soon as a malicious PDF file is opened.
|
||||
|
||||
References:
|
||||
|
||||
- <https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/>
|
||||
|
||||
## Vulnerable environment
|
||||
|
||||
Execute following command to start a server that contains PDF.js 4.1.392:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
After the server is started, browse `http://your-ip:8080` you will see an uploading page.
|
||||
|
||||
## Vulnerability reproduce
|
||||
|
||||
Upload malicious PDF file [poc.pdf](poc.pdf) to trigger the XSS:
|
||||
|
||||
|
||||
Reference in New Issue
Block a user