CVE-2024-25180

An issue discovered in pdfmake 0.2.9 allows remote attackers to run arbitrary code via crafted POST request to the /pdf endpoint. NOTE: this is disputed because the behavior of the /pdf endpoint is intentional. The /pdf endpoint is only available after installing a test framework (that lives outside of the pdfmake applicaton). Anyone installing this is responsible for ensuring that it is only available to authorized testers.
Configurations

No configuration.

History

21 Nov 2024, 09:00

Type Values Removed Values Added
References () https://github.com/bpampuch/pdfmake/issues/2702 - () https://github.com/bpampuch/pdfmake/issues/2702 -
References () https://github.com/joaoviictorti/My-CVES/blob/main/CVE-2024-25180/README.md - () https://github.com/joaoviictorti/My-CVES/blob/main/CVE-2024-25180/README.md -
References () https://security.snyk.io/vuln/SNYK-JS-PDFMAKE-6347243 - () https://security.snyk.io/vuln/SNYK-JS-PDFMAKE-6347243 -
References () https://www.youtube.com/watch?v=QcOlrWUGo6o - () https://www.youtube.com/watch?v=QcOlrWUGo6o -

26 Aug 2024, 20:35

Type Values Removed Values Added
CWE CWE-94
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8

01 May 2024, 22:15

Type Values Removed Values Added
Summary (en) An issue discovered in pdfmake 0.2.9 allows remote attackers to run arbitrary code via crafted POST request to the path '/pdf'. (en) An issue discovered in pdfmake 0.2.9 allows remote attackers to run arbitrary code via crafted POST request to the /pdf endpoint. NOTE: this is disputed because the behavior of the /pdf endpoint is intentional. The /pdf endpoint is only available after installing a test framework (that lives outside of the pdfmake applicaton). Anyone installing this is responsible for ensuring that it is only available to authorized testers.
References
  • () https://github.com/bpampuch/pdfmake/issues/2702 -
  • () https://security.snyk.io/vuln/SNYK-JS-PDFMAKE-6347243 -

19 Apr 2024, 19:15

Type Values Removed Values Added
References
  • () https://www.youtube.com/watch?v=QcOlrWUGo6o -

01 Mar 2024, 14:04

Type Values Removed Values Added
Summary
  • (es) Un problema descubierto en pdfmake 0.2.9 permite a atacantes remotos ejecutar código arbitrario mediante una solicitud POST manipulada en la ruta '/pdf'.

29 Feb 2024, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-29 18:15

Updated : 2024-11-21 09:00


NVD link : CVE-2024-25180

Mitre link : CVE-2024-25180

CVE.ORG link : CVE-2024-25180


JSON object : View

Products Affected

No product.

CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')