AIKIDO-2024-10243
ng2-pdfjs-viewer is vulnerable to Cross-site Scripting (XSS)
80
High Risk
This Affects:
ng2-pdfjs-viewerTL;DR
All versions of this package are vulnerable to CVE-2024-4367 due to the use of a vulnerable version of pdf.js, which permits arbitrary JavaScript execution through Cross-site Scripting (xss).
Who does this affect?
You are affected if you use this package.
Background info
ng2-pdfjs-viewer is vulnerable to Cross-site Scripting (XSS) in all versions.
How to fix this
Since no fix is available for this package, you can mitigate the vulnerability by forking the library and setting the isEvalSupported property in the pdf.js configuration to false. Alternatively, you can use pdf.js directly by leveraging the https://www.npmjs.com/package/pdfjs-dist package.
Links
GitHub Release
Other
bugzilla.mozilla.org/show_bug.cgi?id=1893645lists.debian.org/debian-lts-announce/2024/05/msg00010.htmllists.debian.org/debian-lts-announce/2024/05/msg00012.htmlmozilla.org/security/advisories/mfsa2024-21/mozilla.org/security/advisories/mfsa2024-22/mozilla.org/security/advisories/mfsa2024-23/seclists.org/fulldisclosure/2024/Aug/30codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/exploit-db.com/exploits/52273
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant