CVE-2018-5158
HIGH8.8EPSS 43.0%Malicious PDF can inject JavaScript into PDF Viewer
發布日:2022/5/14修改日:2024/5/28
描述
The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8, Firefox < 60 and PDF.js < 2.0.550.
受影響套件(2)
- Debian/firefox-esrfrom 0, < 52.8.0esr-1
- npm/pdfjs-dist>= 2.0.0, < 2.0.550
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
參考連結(16)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-5158
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2018-5158
- PATCHhttps://github.com/mozilla/pdf.js
- WEBhttps://access.redhat.com/errata/RHSA-2018:1414
- WEBhttps://access.redhat.com/errata/RHSA-2018:1415
- WEBhttps://bugzilla.mozilla.org/show_bug.cgi?id=1452075
- WEBhttps://github.com/mozilla/pdf.js/commit/2dc4af525d1612c98afcd1e6bee57d4788f78f97
- WEBhttps://github.com/mozilla/pdf.js/pull/9659
- WEBhttps://lists.debian.org/debian-lts-announce/2018/05/msg00007.html
- WEBhttps://security.gentoo.org/glsa/201810-01
- WEBhttps://usn.ubuntu.com/3645-1
- WEBhttps://www.debian.org/security/2018/dsa-4199
- WEBhttps://www.mozilla.org/security/advisories/mfsa2018-11
- WEBhttps://www.mozilla.org/security/advisories/mfsa2018-12
- WEBhttp://www.securityfocus.com/bid/104136
- WEBhttp://www.securitytracker.com/id/1040896