An issue discovered in pdfmake 0.2.9 allows remote attackers to run arbitrary code via crafted POST request to the /pdf endpoint. NOTE: this is disputed because the behavior of the /pdf endpoint is intentional. The /pdf endpoint is only available after installing a test framework (that lives outside of the pdfmake applicaton). Anyone installing this is responsible for ensuring that it is only available to authorized testers.
[
{
"cpes": [
"cpe:2.3:a:pdfmake_project:pdfmake:*:*:*:*:*:*:*:*"
],
"vendor": "pdfmake_project",
"product": "pdfmake",
"versions": [
{
"status": "affected",
"version": "0.2.9"
}
],
"defaultStatus": "unknown"
}
]