CVE-2024-4367
- Source
- https://cve.org/CVERecord?id=CVE-2024-4367
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-4367.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-4367
- Aliases
- Downstream
- Related
- Published
- 2024-05-14T18:15:12.467Z
- Modified
- 2026-03-14T14:54:45.902151Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
- References
-
- https://github.com/mozilla/pdf.js/releases/tag/v4.2.67
- https://www.exploit-db.com/exploits/52273
- https://www.mozilla.org/security/advisories/mfsa2024-23/
- https://www.mozilla.org/security/advisories/mfsa2024-21/
- https://www.mozilla.org/security/advisories/mfsa2024-22/
- https://github.com/gogs/gogs/issues/7928
- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
- http://seclists.org/fulldisclosure/2024/Aug/30
- https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html
- https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html
- https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
Affected packages
Git / github.com/mozilla/pdf.js
Affected ranges
- Type
- GIT
- Repo
- https://github.com/mozilla/pdf.js
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.0.277
milestone-0.*
milestone-0.2
v0.*
v0.1.0
v0.3.459
v0.4.11
v0.5.5
v0.8.1181
v0.8.1334
v1.*
v1.0.1040
v1.0.1149
v1.0.2
v1.0.21
v1.0.277
v1.0.403
v1.0.473
v1.0.68
v1.0.712
v1.0.907
v1.1.1
v1.1.114
v1.1.215
v1.1.3
v1.1.366
v1.1.469
v1.10.88
v1.2.109
v1.3.88
v1.4.11
v1.4.20
v1.5.188
v1.6.210
v1.7.225
v1.8.170
v1.8.188
v1.9.426
v2.*
v2.0.943
v2.1.266
v2.10.377
v2.11.338
v2.12.313
v2.13.216
v2.14.305
v2.15.349
v2.16.105
v2.2.228
v2.3.200
v2.4.456
v2.5.207
v2.6.347
v2.7.570
v2.8.335
v2.9.359
v3.*
v3.0.279
v3.1.81
v3.10.111
v3.11.174
v3.2.146
v3.3.122
v3.4.120
v3.5.141
v3.6.172
v3.7.107
v3.8.162
v3.9.179
v4.*
v4.0.189
v4.0.269
v4.0.379
v4.1.392
Other
vundefined
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"fixed": "115.11.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "126.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "115.11.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.10.6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-NA"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision10"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision11"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision12"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision13"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision14"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision15"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision16"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision17"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision18"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision19"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision20"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision21"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision22"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision23"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision24"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision25"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision26"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision27"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision28"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision29"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision30"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision31"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision32"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision33"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision34"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision35"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision36"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision37"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision38"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision39"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision40"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision41"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision42"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision43"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision44"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision7"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision8"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.10.6-revision9"
}
]
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-4367.json"