CVE-2024-4367

Mozilla: Arbitrary JavaScript execution in PDF.js

Description

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

INFO

Published Date :

2024-05-14T17:21:23.486Z

Last Modified :

2025-04-24T18:19:17.818Z

Source :

mozilla

AFFECTED PRODUCTS

The following products are affected by CVE-2024-4367 vulnerability.

Vendors	Products
Debian	Debian Linux
Mozilla	Firefox Firefox Esr Thunderbird
Open-xchange	Open-xchange Appsuite Frontend
Redhat	Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Tus

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-4367.

URL	Resource
http://seclists.org/fulldisclosure/2024/Aug/30
https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
https://github.com/gogs/gogs/issues/7928
https://github.com/mozilla/pdf.js/releases/tag/v4.2.67
https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html
https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html
https://nvd.nist.gov/vuln/detail/CVE-2024-4367
https://www.cve.org/CVERecord?id=CVE-2024-4367
https://www.exploit-db.com/exploits/52273
https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/#CVE-2024-4367
https://www.mozilla.org/en-US/security/advisories/mfsa2024-23/#CVE-2024-4367
https://www.mozilla.org/security/advisories/mfsa2024-21/
https://www.mozilla.org/security/advisories/mfsa2024-22/
https://www.mozilla.org/security/advisories/mfsa2024-23/

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact