Jspdf
Monthly
jsPDF versions prior to 4.2.0 allow attackers to inject arbitrary PDF objects including malicious JavaScript through unsanitized input to the Acroform module, which executes when users interact with form elements. An attacker who can control input passed to vulnerable API members can achieve code execution on the victim's system. The vulnerability is fixed in jsPDF 4.2.0 and can be mitigated by sanitizing all user input before passing it to affected Acroform properties and methods.
Arbitrary PDF object injection in jsPDF before 4.2.0 allows unauthenticated attackers to execute malicious actions or manipulate document structure through unvalidated input to the addJS method, affecting any user opening a crafted PDF. Public exploit code exists for this vulnerability. The issue is resolved in jsPDF 4.2.0, with a temporary mitigation of escaping parentheses in user-supplied JavaScript before passing it to addJS.
Denial of service in jsPDF prior to version 4.2.0 allows remote attackers to trigger out-of-memory conditions by supplying specially crafted GIF files with oversized dimension headers to the addImage or html methods. Public exploit code exists for this vulnerability, affecting applications that process untrusted image data. Upgrade to jsPDF 4.2.0 or sanitize image inputs before processing.
PDF generation in jsPDF prior to version 4.1.0 allows injection of arbitrary PDF objects through unsanitized input passed to AcroForm module methods, enabling attackers to embed malicious JavaScript actions executed when victims open the generated documents. Public exploit code exists for this vulnerability affecting applications using vulnerable versions of the library. Upgrade to jsPDF 4.1.0 or later to remediate the issue.
Denial of service in jsPDF prior to version 4.1.0 occurs when malicious BMP files with oversized dimension headers are processed by the addImage or html methods, causing excessive memory allocation and application crashes. Public exploit code exists for this vulnerability. Organizations using jsPDF should upgrade to version 4.1.0 or later to remediate the issue.
Jspdf versions up to 4.1.0 contains a vulnerability that allows attackers to inject arbitrary XML (CVSS 5.4).
jsPDF versions prior to 4.1.0 contain a race condition in the addJS method where a shared module-scoped variable is overwritten during concurrent PDF generation, causing JavaScript payloads and embedded data intended for one user to be included in another user's generated PDF. This cross-user data leakage primarily affects server-side Node.js deployments handling simultaneous requests, allowing attackers to access sensitive information leaked across user sessions. Public exploit code exists for this vulnerability.
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. [CVSS 7.5 HIGH]
jsPDF is a library to generate PDFs in JavaScript. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
jsPDF is a library to generate PDFs in JavaScript. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
jsPDF versions prior to 4.2.0 allow attackers to inject arbitrary PDF objects including malicious JavaScript through unsanitized input to the Acroform module, which executes when users interact with form elements. An attacker who can control input passed to vulnerable API members can achieve code execution on the victim's system. The vulnerability is fixed in jsPDF 4.2.0 and can be mitigated by sanitizing all user input before passing it to affected Acroform properties and methods.
Arbitrary PDF object injection in jsPDF before 4.2.0 allows unauthenticated attackers to execute malicious actions or manipulate document structure through unvalidated input to the addJS method, affecting any user opening a crafted PDF. Public exploit code exists for this vulnerability. The issue is resolved in jsPDF 4.2.0, with a temporary mitigation of escaping parentheses in user-supplied JavaScript before passing it to addJS.
Denial of service in jsPDF prior to version 4.2.0 allows remote attackers to trigger out-of-memory conditions by supplying specially crafted GIF files with oversized dimension headers to the addImage or html methods. Public exploit code exists for this vulnerability, affecting applications that process untrusted image data. Upgrade to jsPDF 4.2.0 or sanitize image inputs before processing.
PDF generation in jsPDF prior to version 4.1.0 allows injection of arbitrary PDF objects through unsanitized input passed to AcroForm module methods, enabling attackers to embed malicious JavaScript actions executed when victims open the generated documents. Public exploit code exists for this vulnerability affecting applications using vulnerable versions of the library. Upgrade to jsPDF 4.1.0 or later to remediate the issue.
Denial of service in jsPDF prior to version 4.1.0 occurs when malicious BMP files with oversized dimension headers are processed by the addImage or html methods, causing excessive memory allocation and application crashes. Public exploit code exists for this vulnerability. Organizations using jsPDF should upgrade to version 4.1.0 or later to remediate the issue.
Jspdf versions up to 4.1.0 contains a vulnerability that allows attackers to inject arbitrary XML (CVSS 5.4).
jsPDF versions prior to 4.1.0 contain a race condition in the addJS method where a shared module-scoped variable is overwritten during concurrent PDF generation, causing JavaScript payloads and embedded data intended for one user to be included in another user's generated PDF. This cross-user data leakage primarily affects server-side Node.js deployments handling simultaneous requests, allowing attackers to access sensitive information leaked across user sessions. Public exploit code exists for this vulnerability.
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. [CVSS 7.5 HIGH]
jsPDF is a library to generate PDFs in JavaScript. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
jsPDF is a library to generate PDFs in JavaScript. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.