AIKIDO-2024-10243
ng2-pdfjs-viewer is vulnerable to Cross-site Scripting (XSS)
80
High Risk
This Affects:
ng2-pdfjs-viewerTL;DR
All versions of this package are vulnerable to CVE-2024-4367 due to the use of a vulnerable version of pdf.js, which permits arbitrary JavaScript execution through Cross-site Scripting (xss).
Who does this affect?
You are affected if you use this package.
Background info
ng2-pdfjs-viewer is vulnerable to Cross-site Scripting (XSS) in all versions.
How to fix this
Since no fix is available for this package, you can mitigate the vulnerability by forking the library and setting the isEvalSupported property in the pdf.js configuration to false. Alternatively, you can use pdf.js directly by leveraging the https://www.npmjs.com/package/pdfjs-dist package.
Links
GitHub Release
Other
bugzilla.mozilla.org/show_bug.cgi?id=1893645lists.debian.org/debian-lts-announce/2024/05/msg00010.htmllists.debian.org/debian-lts-announce/2024/05/msg00012.htmlmozilla.org/security/advisories/mfsa2024-21/mozilla.org/security/advisories/mfsa2024-22/mozilla.org/security/advisories/mfsa2024-23/seclists.org/fulldisclosure/2024/Aug/30codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/exploit-db.com/exploits/52273cert-portal.siemens.com/productcert/html/ssa-827383.html
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant