Main Vulnerability Database SB2022013108

SB2022013108 - Multiple vulnerabilities in jsPDF

Published: January 31, 2022

Security Bulletin ID SB2022013108

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper validation of integrity check value (CVE-ID: N/A)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to missing integrity check when loading the pdfobject lib from CDN in calls to output('pdfobjectnewwindow'). A remote attacker who is able to compromise CDN or perform MitM attack can inject arbitrary JS code and execute it victim's browser.

2) Incorrect Regular Expression (CVE-ID: N/A)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to inefficient regular expression in setDisplayMode. A remote attacker can pass specially crafted data to the application and cause high CPU load, resulting in regular expression denial of service (ReDoS) attack.

Remediation

Install update from vendor's website.

References

https://github.com/MrRio/jsPDF/releases/tag/v2.5.1