PT-2018-2992 · Mozilla+5 · Firefox Esr+7

Wladimir Palant

Published

2018-05-09

Updated

2024-12-12

CVE-2018-5158

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Firefox ESR versions prior to 52.8 Firefox versions prior to 60 PDF.js versions prior to 2.0.550

Description The issue is related to errors in code generation management in the PDF Viewer component of Firefox ESR and Firefox browsers. It allows a remote attacker to execute arbitrary code using a specially crafted PDF file. The PDF viewer does not sufficiently sanitize PostScript calculator functions, enabling malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker.

Recommendations For Firefox ESR versions prior to 52.8, update to version 52.8 or later. For Firefox versions prior to 60, update to version 60 or later. For PDF.js versions prior to 2.0.550, update to version 2.0.550 or later.

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

ALT-PU-2018-1787

ALT-PU-2018-1854

BDU:2019-03311

CESA-2018_1414

CESA-2018_1415

CVE-2018-5158

DLA-1376-1

DSA-4199-1

GHSA-7JG2-JGV3-FMR4

MGASA-2018-0248

MGASA-2018-0338

OPENSUSE-SU-2018_1212-1

OPENSUSE-SU-2024:10600-1

OPENSUSE-SU-2024:14572-1

RHSA-2018:1414

RHSA-2018:1415

RHSA-2018_1414

RHSA-2018_1415

SUSE-SU-2018:1319-1

SUSE-SU-2018:1334-1

SUSE-SU-2018:1334-2

SUSE-SU-2018:2298-1

SUSE-SU-2019:2872-1

USN-3645-1

USN-3645-2

Affected Products

Alt Linux

Centos

Firefox

Firefox Esr

Pdf.Js

Red Hat

Suse

Ubuntu

PT-2018-2992 · Mozilla+5 · Firefox Esr+7

CVE-2018-5158

Weakness Enumeration

Related Identifiers

Affected Products

References · 1973