Writeups

The following abuse CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js affecting versions <= 4.1.392 the exploit authors have documented this attack very well at https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/

This dependency was fixed in https://github.com/mozilla/pdf.js/pull/18015
Multiple PDF Viewers have had an XSS https://github.com/luigigubello/PayloadsAllThePDFs issue.

Project Baseline XSS (baseline.google.com) $3133.70

This is a service used for clinical research.
Endpoint with the bug is a PDF Viewer hosted at https://baseline.google.com/member/mobilepdf?url=<PDF> where <PDF> is a URL that goes to a custom PDF with CORS. This was found by searching the source code of their Android Apps. For example with https://baseline.google.com/member/mobilepdf?url=https://raw.githubusercontent.com/NDevTK/cross-site/main/CVE-2024-4367.pdf&hl=en-US I get a alert that says my google baseline cookies since the file has /FontMatrix [1 2 3 4 5 (1\); alert\(document.cookie)]
The URL parameter appears to no longer work.

SignalPath XSS (app.signalpath.com) $100

Like above but older PDF.js version https://app.signalpath.com/trialpath/assets/pdfjs/web/viewer.html
There is a same-origin or blob check for the file URL parameter, However the open file feature results in XSS (it also works by drag and drop)
May also be a feature in Site CTMS to upload a document containing the XSS, for example to gain privilege escalation.
To make the attack less obvious since app.signalpath.com has no embed protection you can make it look like the file upload is for an unrelated site.
This was fixed by updating to 4.8.69