Arbitrary JavaScript execution due to using outdated libraries
Low severity
GitHub Reviewed
Published
Jun 4, 2024
in
freddyaboulton/gradio-pdf
•
Updated Jun 5, 2024
Description
Published to the GitHub Advisory Database
Jun 5, 2024
Reviewed
Jun 5, 2024
Last updated
Jun 5, 2024
Summary
gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript execution.
PoC
Generate a pdf file with a malicious script in the fontmatrix. (This will run
alert(‘XSS’)
.)poc.pdf
Run the app. In this PoC, I've used the demo for a simple proof.
![1](https://github.com/freddyaboulton/gradio-pdf/assets/114328108/d1bb7626-3d0f-4984-8873-297658d6e77e)
Upload a PDF file containing the script.
![2](https://github.com/freddyaboulton/gradio-pdf/assets/114328108/803d8080-c946-446e-bb34-cf5640e1b4de)
Check that the script is running.
![3](https://github.com/freddyaboulton/gradio-pdf/assets/114328108/4956b95f-acca-4bb1-a3c2-7dfc96adf890)
Impact
Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering.
Mitigation
Upgrade the pdf.js to v4.2.67, which removes the vulnerability. (or set the option
isEvalSupported
tofalse
.)Reference
References