EIQ-2019-0036#
ID |
EIQ-2019-0036 |
|---|---|
CVE |
|
Description |
A crafted PDF file could allow malicious JavaScript injection |
Date |
26 Sep 2019 |
Severity |
3 - HIGH |
CVSSv3 score |
8.8 |
Status |
✅ 2.6.0 |
Assessment |
The vulnerability affects pdfjs-dist version 2.0.305. a sub-dependency of react-pdf version 3.0.6. The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. To reproduce the vulnerability scenario, we used a test PDF downloaded from Mozilla. However, it was not possible to replicate the issue in EclecticIQ Platform. Note We test direct dependencies by scanning fixed builds, and then by checking the corresponding vulnerability reports to verify that they no longer include the addressed vulnerabilities. At the moment, there is no way to reliably test indirect dependencies. |
Mitigation |
To mitigate the vulnerability, upgrade to react-pdf to version 4.0.0 or later. This action upgrades also the vulnerable sub-dependency. |
Affected versions |
2.5.0 and earlier. |
Notes |
For more information, see: |