CVE-2018-3746

Name of the Vulnerable Software and Affected Versions pdfinfojs versions <= 0.3.6 pdfinfojs versions prior to 0.4.1

Description The issue is related to a lack of neutralization of special elements in input commands for the pdfinfojs module. This can be exploited by a remote attacker to execute arbitrary code using a specially crafted request. The vulnerability is exploitable if an attacker can control the filename parameter passed into the pdfinfojs constructor, allowing the execution of arbitrary commands on the victim's machine.

Recommendations For pdfinfojs versions <= 0.3.6, update to version 0.4.1 or later. For pdfinfojs versions prior to 0.4.1, update to version 0.4.1 or later. As a temporary workaround, consider restricting access to the filename parameter in the pdfinfojs constructor to minimize the risk of exploitation.