Veracode Vulnerability DatabaseVERACODE:46795Arbitrary JavaScript Execution
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
AI Score
Confidence
High
EPSS
Percentile
10.3%
react-pdf is vulnerable to Arbitrary JavaScript Execution. This vulnerability is due to isEvalSupported set to true by default, allowing for the execution of arbitrary JavaScript code embedded within the PDF.
References
github.com/advisories/GHSA-87hq-q4gp-9wr4
github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6
github.com/mozilla/pdf.js/pull/18015
github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq
github.com/wojtekmaj/react-pdf/commit/208f28dd47fe38c33ce4bac4205b2b0a0bb207fe
github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad
github.com/wojtekmaj/react-pdf/security/advisories/GHSA-87hq-q4gp-9wr4
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
AI Score
Confidence
High
EPSS
Percentile
10.3%