Lucene search

Veracode Vulnerability DatabaseVERACODE:46795

HistoryMay 08, 2024 - 5:55 a.m.

Arbitrary JavaScript Execution

2024-05-0805:55:21

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

react-pdf

vulnerability

javascript

execution

software

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

7.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.5%

JSON

react-pdf is vulnerable to Arbitrary JavaScript Execution. This vulnerability is due to isEvalSupported set to true by default, allowing for the execution of arbitrary JavaScript code embedded within the PDF.

CPENameOperatorVersion
react-pdfle8.0.1
react-pdfle7.7.2
react-pdfle8.0.1
react-pdfle7.7.2

Name	Operator	Version
react-pdf	le	8.0.1
react-pdf	le	7.7.2
react-pdf	le	8.0.1
react-pdf	le	7.7.2

References

github.com/advisories/GHSA-87hq-q4gp-9wr4

github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6

github.com/mozilla/pdf.js/pull/18015

github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq

github.com/wojtekmaj/react-pdf/commit/208f28dd47fe38c33ce4bac4205b2b0a0bb207fe

github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad

github.com/wojtekmaj/react-pdf/security/advisories/GHSA-87hq-q4gp-9wr4

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

7.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.5%

JSON

Related for VERACODE:46795