Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-5715

PDFjs cve-2024-4367 arbitrary code execution from pdf document

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • 10.0.1
    • 9.0.0, 9.1.0, 10.0.0, 9.6.5
    • None
    • Security Level: Jimmy
    • None

      Affected versions

      This vulnerability affects all ZK versions from 9.0.0 to current latest 10.0.0

      Steps to Reproduce

      display the attached sample in a pdfviewer (pdf attached is a blank sample, with an alert JS inserted in the font declaration)
      NOTE: This alert may not appear, a JS error instead indicates an attempted execution, which is still proof of the vulnerability

      Current Result

      JS error trying to run JS from reproducing PDF

      Expected Result

      PDF cannot run arbitrary code

      Debug Information

      Workaround

      Deploy in zul, or globally through lang-addon

      <script><![CDATA[ 
      	zk.afterLoad("zkex.pdfviewer", function () {
      	    var _xPdfviewer = {};
      	    zk.override(zkex.pdfviewer.Pdfviewer.prototype, _xPdfviewer, {
      	    	_loadPdf: function _loadPdf(src) {
      	    		var source = {url: src, isEvalSupported: false};
      	    		return _xPdfviewer._loadPdf.apply(this, [source]);
      	 	}
      	     });
      	});
      ]]></script>
      

        1. CVE-2024-4367.pdf
          26 kB
          MDuchemin
        2. pdf-vulnerability.zul
          0.5 kB
          MDuchemin

            jumperchen jumperchen
            MDuchemin MDuchemin
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: