aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
vulhub/pdfjs/CVE-2024-4367
History
Aaron 63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details
first commit
2025-09-06 16:08:15 +08:00
..
1.png
first commit
2025-09-06 16:08:15 +08:00
docker-compose.yml
first commit
2025-09-06 16:08:15 +08:00
index.php
first commit
2025-09-06 16:08:15 +08:00
poc.pdf
first commit
2025-09-06 16:08:15 +08:00
README.md
first commit
2025-09-06 16:08:15 +08:00
README.zh-cn.md
first commit
2025-09-06 16:08:15 +08:00

README.md

PDF.js Arbitrary JavaScript Code Execution (CVE-2024-4367)

中文版本(Chinese version)

PDF.js is a Portable Document Format (PDF) viewer that is built with HTML5.

In the PDF.js version prior to 4.1.392, a JavaScript code injection was found. This bug allows an attacker to execute arbitrary JavaScript code as soon as a malicious PDF file is opened.

References:

Vulnerable environment

Execute following command to start a server that contains PDF.js 4.1.392:

docker compose up -d

After the server is started, browse http://your-ip:8080 you will see an uploading page.

Vulnerability reproduce

Upload malicious PDF file poc.pdf to trigger the XSS: