Exploit for CVE-2024-4367 exploit

Share

## https://sploitus.com/exploit?id=A8B2743E-5AF9-58A8-8747-F7C802DAAC9E # CVE-2024-4367: Arbitrary JavaScript Execution in PDF.js ## Overview CVE-2024-4367 is a critical vulnerability in the PDF.js library that allows arbitrary JavaScript execution in a user's browser, leading to Cross-Site Scripting (XSS) attacks. This affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. ## Usages ### Node in /app ```bash npm install ``` ```bash npm start ``` ### PoC - `python3 poc.py <payload>` - Example: `python3 poc.py "alert(1)"` ### Demo Videos - [Demo 1 (Firefox)](https://www.youtube.com/watch?v=s4V5fL3AQew) - [Demo 2 (pdfjs-dist)](https://www.youtube.com/watch?v=dWHtNF5-MKk) ## Mitigation - Update PDF.js to a version higher than 4.1.392. - Ensure your Firefox, Firefox ESR, or Thunderbird is up-to-date with the latest security patches. ## Detailed Analysis For a comprehensive analysis of CVE-2024-4367, [read here](https://masamuneee.github.io/posts/cve-2024-4367/). ## PoC references - https://github.com/LOURC0D3/CVE-2024-4367-PoC - https://github.com/s4vvysec/CVE-2024-4367-POC