high
8.8
EPSS
0.044%
Advisory Published
CVE Published
CVE Published
Updated

CVE-2024-4367

First published: Tue May 07 2024(Updated: )

### Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. ### Patches The patch removes the use of `eval`: https://github.com/mozilla/pdf.js/pull/18015 ### Workarounds Set the option `isEvalSupported` to `false`. ### References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

Credit: security@mozilla.org security@mozilla.org

Affected SoftwareAffected VersionHow to fix
Mozilla Firefox ESR<115.11
115.11
Mozilla Thunderbird<115.11
115.11
redhat/firefox<115.11
115.11
redhat/thunderbird<115.11
115.11
debian/firefox
130.0.1-1
debian/firefox-esr
115.14.0esr-1~deb11u1
115.15.0esr-1~deb11u1
115.14.0esr-1~deb12u1
115.15.0esr-1~deb12u1
115.15.0esr-1
debian/odoo
14.0.0+dfsg.2-7+deb11u2
16.0.0+dfsg.2-3
debian/thunderbird
1:115.12.0-1~deb11u1
1:115.15.0-1~deb11u1
1:115.12.0-1~deb12u1
1:115.15.0-1~deb12u1
1:128.2.0esr-1
1:128.2.1esr-1
Mozilla Firefox<126
126
IBM Cognos Analytics<=12.0.0-12.0.3
IBM Cognos Analytics<=11.2.0-11.2.4 FP4
npm/pdfjs-dist<=4.1.392
4.2.67
Mozilla Firefox<115.11.0
Mozilla Firefox<126.0
Mozilla Thunderbird<115.11.0
Debian GNU/Linux=10.0
Open-Xchange Open-Xchange App Suite Frontend<7.10.6
Open-Xchange Open-Xchange App Suite Frontend=7.10.6
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision10
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision11
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision12
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision13
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision14
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision15
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision16
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision17
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision18
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision19
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision20
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision21
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision22
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision23
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision24
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision25
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision26
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision27
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision28
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision29
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision3
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision30
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision31
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision32
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision33
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision34
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision35
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision36
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision37
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision38
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision39
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision4
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision40
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision41
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision42
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision43
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision44
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision5
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision6
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision7
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision8
Open-Xchange Open-Xchange App Suite Frontend=7.10.6-revision9

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Peer vulnerabilities

(Found alongside the following vulnerabilities)

Frequently Asked Questions

  • What is the severity of CVE-2024-4367?

    CVE-2024-4367 is assigned a critical severity due to the potential execution of unrestricted attacker-controlled JavaScript.

  • How do I fix CVE-2024-4367?

    To fix CVE-2024-4367, update to the latest version of affected software, such as Firefox or Thunderbird, which includes the necessary patches.

  • What versions are affected by CVE-2024-4367?

    CVE-2024-4367 affects versions of Firefox ESR up to 115.11 and Thunderbird up to 115.11.

  • What is the main risk associated with CVE-2024-4367?

    The main risk of CVE-2024-4367 is that it allows attackers to execute malicious JavaScript within the context of the hosting domain.

  • Who is impacted by CVE-2024-4367?

    Users of Mozilla Firefox ESR and Thunderbird, especially those utilizing pdf.js with eval support enabled, are at risk from CVE-2024-4367.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203