GHSA-7jg2-jgv3-fmr4

Source

https://github.com/advisories/GHSA-7jg2-jgv3-fmr4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7jg2-jgv3-fmr4/GHSA-7jg2-jgv3-fmr4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7jg2-jgv3-fmr4

Aliases

CVE-2018-5158

Published

2022-05-14T01:22:02Z

Modified

2024-05-28T21:12:08.572660Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Malicious PDF can inject JavaScript into PDF Viewer

Details

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8, Firefox < 60 and PDF.js < 2.0.550.

References

Affected packages

npm / pdfjs-dist

Package

Name: pdfjs-dist; View open source insights on deps.dev
Purl: pkg:npm/pdfjs-dist

Affected ranges

Type: SEMVER
Events: Introduced

2.0.0

Fixed

2.0.550

npm / pdfjs-dist

Package

Name: pdfjs-dist; View open source insights on deps.dev
Purl: pkg:npm/pdfjs-dist

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.10.100