← back
CVE-2024-4367

CVE-2024-4367

CVSS 5.6 MEDIUMEPSS 72.6%CWE-754
A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected products
Mozilla · FirefoxMozilla · Firefox ESRMozilla · Thunderbird
public PoCs found23
githubgithub.com/LOURC0D3/CVE-2024-4367-PoC201githubgithub.com/s4vvysec/CVE-2024-4367-POC58githubgithub.com/Zombie-Kaiser/cve-2024-4367-PoC-fixed12githubgithub.com/spaceraccoon/detect-cve-2024-436711githubgithub.com/snyk-labs/pdfjs-vuln-demo10githubgithub.com/UnHackerEnCapital/PDFernetRemotelo6githubgithub.com/clarkio/pdfjs-vuln-demo4githubgithub.com/Masamuneee/CVE-2024-4367-Analysis4githubgithub.com/1337rokudenashi/Odoo_PDFjs_CVE-2024-4367.pdf2githubgithub.com/kabiri-labs/CVE-2024-4367-PoC1githubgithub.com/elamani-drawing/CVE-2024-4367-POC-PDFJS1githubgithub.com/pS3ud0RAnD0m/cve-2024-4367-poc1githubgithub.com/avalahEE/pdfjs_disable_eval1githubgithub.com/m0d0ri205/PDFJS0githubgithub.com/0xr2r/CVE-2024-43670githubgithub.com/xiaoqiesec0x1/CVE-2024-4367-PDF.js-xss0githubgithub.com/J1nKsC/CVE-2024-4367_test0githubgithub.com/PenguinCabinet/CVE-2024-4367-hands-on0githubgithub.com/pedrochalegre7/CVE-2024-4367-pdf-sample0githubgithub.com/VVeakee/CVE-2024-43670githubgithub.com/BektiHandoyo/cve-pdf-host0githubgithub.com/Bhavyakcwestern/Hacking-pdf.js-vulnerability0cve_referencewww.exploit-db.com/exploits/52273unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1893645https://cert-portal.siemens.com/productcert/html/ssa-827383.htmlhttps://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/http://seclists.org/fulldisclosure/2024/Aug/30https://github.com/gogs/gogs/issues/7928https://github.com/mozilla/pdf.js/releases/tag/v4.2.67https://lists.debian.org/debian-lts-announce/2024/05/msg00010.htmlhttps://lists.debian.org/debian-lts-announce/2024/05/msg00012.htmlhttps://www.exploit-db.com/exploits/52273https://www.mozilla.org/security/advisories/mfsa2024-21/https://www.mozilla.org/security/advisories/mfsa2024-22/https://www.mozilla.org/security/advisories/mfsa2024-23/