The following abuse CVE-2024-4367 – Arbitrary JavaScript execution
in PDF.js
affecting versions <= 4.1.392 the exploit authors have documented this attack very well at https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
This dependency was fixed in https://github.com/mozilla/pdf.js/pull/18015
Multiple PDF Viewers have had an XSS https://github.com/luigigubello/PayloadsAllThePDFs issue.
This is a service used for clinical research.
Endpoint with the bug is a PDF Viewer hosted at https://baseline.google.com/member/mobilepdf?url=<PDF>
where <PDF>
is a URL that goes to a custom PDF with CORS. This was found by searching the source code of their Android Apps.
For example with https://baseline.google.com/member/mobilepdf?url=https://raw.githubusercontent.com/NDevTK/cross-site/main/CVE-2024-4367.pdf&hl=en-US
I get a alert that says my google baseline cookies since the file has /FontMatrix [1 2 3 4 5 (1\); alert\(document.cookie)]
The URL parameter appears to no longer work.
Like above but older PDF.js version https://app.signalpath.com/trialpath/assets/pdfjs/web/viewer.html
There is a same-origin or blob check for the file URL parameter, However the open file feature results in XSS (it also works by drag and drop)
May also be a feature in Site CTMS to upload a document containing the XSS, for example to gain privilege escalation.
To make the attack less obvious since app.signalpath.com
has no embed protection you can make it look like the file upload is for an unrelated site.
This was fixed by updating to 4.8.69