CVE-2018-5158

UNKNOWN

Published 2018-06-11T21:00:00

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2018-5158. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Mozilla

Firefox ESR

Affected Versions:

unspecified

Mozilla

Firefox

Affected Versions:

unspecified

WordPress Vulnerability

Identified and analyzed by Wordfence

Software Type

Plugin

Patch Status

Patched

Published

November 8, 2024

Software Details

Software Name

Algori PDF Viewer

Software Slug

algori-pdf-viewer

Affected Versions

* - 1.0.7

Patched Versions

1.0.8

Remediation

Update to version 1.0.8, or a newer patched version

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/0cd66329-098e-4adf-b66f-d82a47720629?source=api-prod

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Malicious PDF can inject JavaScript into PDF Viewer

GHSA-7jg2-jgv3-fmr4

Advisory Details

Affected Packages

npm pdfjs-dist

ECOSYSTEM: ≥2.0.0 <2.0.550

npm pdfjs-dist

ECOSYSTEM: ≥0 <1.10.100

CVSS Scoring

CVSS Score

7.5

CVSS Vector


                                    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2018-5158

WEB https://github.com/mozilla/pdf.js/pull/9659

WEB https://github.com/mozilla/pdf.js/commit/2dc4af525d1612c98afcd1e6bee57d4788f78f97

WEB https://access.redhat.com/errata/RHSA-2018:1414

WEB https://access.redhat.com/errata/RHSA-2018:1415

WEB https://bugzilla.mozilla.org/show_bug.cgi?id=1452075

PACKAGE https://github.com/mozilla/pdf.js

WEB https://lists.debian.org/debian-lts-announce/2018/05/msg00007.html

WEB https://security.gentoo.org/glsa/201810-01

WEB https://usn.ubuntu.com/3645-1

WEB https://www.debian.org/security/2018/dsa-4199

WEB https://www.mozilla.org/security/advisories/mfsa2018-11

WEB https://www.mozilla.org/security/advisories/mfsa2018-12

WEB http://www.securityfocus.com/bid/104136

WEB http://www.securitytracker.com/id/1040896

Advisory provided by GitHub Security Advisory Database. Published: May 14, 2022, Modified: May 28, 2024

References

https://access.redhat.com/errata/RHSA-2018:1415

https://security.gentoo.org/glsa/201810-01

https://access.redhat.com/errata/RHSA-2018:1414

https://www.mozilla.org/security/advisories/mfsa2018-11/

http://www.securitytracker.com/id/1040896

https://www.debian.org/security/2018/dsa-4199

https://usn.ubuntu.com/3645-1/

https://lists.debian.org/debian-lts-announce/2018/05/msg00007.html

https://bugzilla.mozilla.org/show_bug.cgi?id=1452075

https://www.mozilla.org/security/advisories/mfsa2018-12/

http://www.securityfocus.com/bid/104136

HackerOne Reports

XSS in PDF Viewer Low

skewbed

Nextcloud

$100.00

Cross-site Scripting (XSS) - Generic

View Report

Published: 2018-06-11T21:00:00

Last Modified: 2024-08-05T05:26:47.026Z

Copied to clipboard!

CVE-2018-5158

Expert Analysis

Description

Available Exploits

Related News

Affected Products

Firefox ESR

Affected Versions:

Firefox

Affected Versions:

WordPress Vulnerability

Software Type

Patch Status

Published

Software Details

Software Name

Software Slug

Affected Versions

Patched Versions

Remediation

References

GitHub Security Advisories

Malicious PDF can inject JavaScript into PDF Viewer

Advisory Details

Affected Packages

CVSS Scoring

CVSS Score

CVSS Vector

References

References

HackerOne Reports

Request Analysis

What to expect

Request Received!