CVE-2024-52286

Name of the Vulnerable Software and Affected Versions Stirling-PDF versions prior to 0.32.0

Description The issue in Stirling-PDF allows any unauthenticated user to execute JavaScript code in the context of the user due to the Merge functionality taking untrusted user input (file name) and using it directly in the creation of HTML pages. This is possible because the file name is directly input into InnerHTML with no sanitization, allowing a malicious user to upload files with names containing HTML tags that can include JavaScript code. This can be used to execute JavaScript code in the context of the user, relying on a user uploading the malicious file themselves, impacting only them. A user might be social engineered into running this to launch a phishing attack, breaking the expected security restrictions in place by the application.

Recommendations For versions prior to 0.32.0, upgrade to version 0.32.0 to address the issue. As a temporary workaround, consider restricting the use of the Merge functionality until the upgrade is applied. Avoid using the Merge functionality with untrusted file names until the issue is resolved.