Описание
A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| firefox | fixed | 126.0-1 | package | |
| firefox-esr | fixed | 115.11.0esr-1 | package | |
| thunderbird | fixed | 1:115.11.0-1 | package | |
| odoo | fixed | 16.0.0+dfsg.2-3 | package |
Примечания
https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4367
https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/#CVE-2024-4367
https://www.mozilla.org/en-US/security/advisories/mfsa2024-23/#CVE-2024-4367
https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
https://github.com/mozilla/pdf.js/discussions/18168
https://github.com/odoo/odoo/commit/223d0d57e9ff
EPSS
Связанные уязвимости
A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF
Уязвимость библиотеки PDF.js связанная с доступом к ресурсу через несовместимые типы, позволяющая нарушителю выполнить произвольный JavaScript-код
EPSS