Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2024-4367

MEDIUM
Published 2024-05-14T17:21:23.486Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-4367. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
5.6
/10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.330
probability
of exploitation in the wild

There is a 33.0% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.967
Higher than 96.7% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
LOW
Integrity
LOW
Availability
LOW

Description

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Mozilla

Firefox

Affected Versions:

unspecified
Mozilla

Firefox ESR

Affected Versions:

unspecified
Mozilla

Thunderbird

Affected Versions:

unspecified
mozilla

thunderbird

Affected Versions:

0
mozilla

firefox

Affected Versions:

0
mozilla

firefox_esr

Affected Versions:

0

WordPress Vulnerability

Identified and analyzed by Wordfence

Software Type

Plugin

Patch Status

Patched

Published

May 20, 2024

Software Details

Software Name

BSK PDF Manager

Software Slug

bsk-pdf-manager

Affected Versions

* - 3.6

Patched Versions

3.6.1

Remediation

Update to version 3.6.1, or a newer patched version

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/8ce7aa01-7e79-4048-a84d-fcb9541d5f8b?source=api-prod

© Defiant Inc. Data provided by Wordfence.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF

GHSA-wgrm-67xf-hhpq

Advisory Details

### Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. ### Patches The patch removes the use of `eval`: https://github.com/mozilla/pdf.js/pull/18015 ### Workarounds Set the option `isEvalSupported` to `false`. ### References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

Affected Packages

npm pdfjs-dist
ECOSYSTEM: ≥0 <4.2.67

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

WEB https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-4367
WEB https://github.com/gogs/gogs/issues/7928
WEB https://github.com/mozilla/pdf.js/pull/18015
WEB https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6
WEB https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
WEB https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js
PACKAGE https://github.com/mozilla/pdf.js
WEB https://github.com/mozilla/pdf.js/releases/tag/v4.2.67
WEB https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html
WEB https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html
WEB https://www.exploit-db.com/exploits/52273
WEB https://www.mozilla.org/security/advisories/mfsa2024-21
WEB https://www.mozilla.org/security/advisories/mfsa2024-22
WEB https://www.mozilla.org/security/advisories/mfsa2024-23
WEB http://seclists.org/fulldisclosure/2024/Aug/30

Advisory provided by GitHub Security Advisory Database. Published: May 7, 2024, Modified: April 24, 2025

Social Media Intelligence

Real-time discussions and threat intelligence from social platforms

1 post
Reddit 3 months ago
crstux

🔥 Top 10 Trending CVEs (14/06/2025) Here’s a quick breakdown of the 10 most interesting vulnerabilities trending today: **1. [CVE-2025-24201](https://nvd.nist.gov/vuln/detail/CVE-2025-24201)** - 📝 An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in visionOS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, …

Also mentions: CVE-2025-32717 CVE-2025-32711 CVE-2025-33053 CVE-2025-33073 CVE-2025-33070 CVE-2025-37899 CVE-2025-24201 CVE-2025-21420 CVE-2024-57727
1
1.0
View Original

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
https://www.mozilla.org/security/advisories/mfsa2024-21/
https://www.mozilla.org/security/advisories/mfsa2024-22/
https://www.mozilla.org/security/advisories/mfsa2024-23/
https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html
https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html
Published: 2024-05-14T17:21:23.486Z
Last Modified: 2025-04-24T18:19:17.818Z
Copied to clipboard!