GHSA-3pxp-6963-46r9

Suggest an improvement
Source
https://github.com/advisories/GHSA-3pxp-6963-46r9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/06/GHSA-3pxp-6963-46r9/GHSA-3pxp-6963-46r9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3pxp-6963-46r9
Aliases
  • CVE-2018-3746
Published
2018-06-07T19:43:00Z
Modified
2023-11-08T04:00:18.596470Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Command Injection in pdfinfojs
Details

Versions of pdfinfojs before 0.4.1 are vulnerable to command injection. This is exploitable if an attacker can control the filename parameter that is passed into the pdfinfojs constructor.

Recommendation

Update to version 0.4.1 or later.

Database specific 
{
    "cwe_ids": [
        "CWE-77",
        "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:55:51Z",
    "nvd_published_at": "2018-06-01T17:29:00Z",
    "severity": "CRITICAL"
}
References

Affected packages

npm / pdfinfojs

Package

Name
pdfinfojs
View open source insights on deps.dev
Purl
pkg:npm/pdfinfojs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.4.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/06/GHSA-3pxp-6963-46r9/GHSA-3pxp-6963-46r9.json"