← volver
CVE-2024-4367

CVE-2024-4367

CVSS 5.6 MEDIUMEPSS 72.6%CWE-754
Vexday Risk Score
55Atención
Decisión SSVC (CISA)
Attend
PoC disponible → seguir de cerca
CVSS 5.6EPSS 72.6%KEV nãoPoC públicaNuclei Metasploit Patch
Ciclo de vida
14 may 2024Publicada en NVD
20 may 2024PoC pública
Recomendación: Planificar corrección próxima — ya existe PoC pública.
A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Productos afectados
Mozilla · FirefoxMozilla · Firefox ESRMozilla · Thunderbird
PoCs públicas encontradas23
githubgithub.com/LOURC0D3/CVE-2024-4367-PoC201githubgithub.com/s4vvysec/CVE-2024-4367-POC58githubgithub.com/Zombie-Kaiser/cve-2024-4367-PoC-fixed12githubgithub.com/spaceraccoon/detect-cve-2024-436711githubgithub.com/snyk-labs/pdfjs-vuln-demo10githubgithub.com/UnHackerEnCapital/PDFernetRemotelo6githubgithub.com/clarkio/pdfjs-vuln-demo4githubgithub.com/Masamuneee/CVE-2024-4367-Analysis4githubgithub.com/1337rokudenashi/Odoo_PDFjs_CVE-2024-4367.pdf2githubgithub.com/kabiri-labs/CVE-2024-4367-PoC1githubgithub.com/elamani-drawing/CVE-2024-4367-POC-PDFJS1githubgithub.com/pS3ud0RAnD0m/cve-2024-4367-poc1githubgithub.com/avalahEE/pdfjs_disable_eval1githubgithub.com/m0d0ri205/PDFJS0githubgithub.com/0xr2r/CVE-2024-43670githubgithub.com/xiaoqiesec0x1/CVE-2024-4367-PDF.js-xss0githubgithub.com/J1nKsC/CVE-2024-4367_test0githubgithub.com/PenguinCabinet/CVE-2024-4367-hands-on0githubgithub.com/pedrochalegre7/CVE-2024-4367-pdf-sample0githubgithub.com/VVeakee/CVE-2024-43670githubgithub.com/BektiHandoyo/cve-pdf-host0githubgithub.com/Bhavyakcwestern/Hacking-pdf.js-vulnerability0cve_referencewww.exploit-db.com/exploits/52273no verificado
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://bugzilla.mozilla.org/show_bug.cgi?id=1893645https://cert-portal.siemens.com/productcert/html/ssa-827383.htmlhttps://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/http://seclists.org/fulldisclosure/2024/Aug/30https://github.com/gogs/gogs/issues/7928https://github.com/mozilla/pdf.js/releases/tag/v4.2.67https://lists.debian.org/debian-lts-announce/2024/05/msg00010.htmlhttps://lists.debian.org/debian-lts-announce/2024/05/msg00012.htmlhttps://www.exploit-db.com/exploits/52273https://www.mozilla.org/security/advisories/mfsa2024-21/https://www.mozilla.org/security/advisories/mfsa2024-22/https://www.mozilla.org/security/advisories/mfsa2024-23/