Vulnerabilities 2024Permanent link for this heading

Arbitrary JavaScript execution in PDF.js (eGov16581, MINDBREEZE31126)Permanent link for this heading

First published: 10 June 2024 (restricted disclosure)

Last update: 11 July 2024

ID: eGov16581, MINDBREEZE31126

Affected Components:

  • Fabasoft eGov-Suite versions up to 2024 Update Rollup 1
  • Fabasoft Mindbreeze Enterprise versions up to 24.3.0.268

Severity: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N, Base Score: 8.5 / High

Status: Final

CVEs: CVE-2024-4367

SummaryPermanent link for this heading

A type check was missing when handling fonts in the third-party library PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context.

ImpactPermanent link for this heading

After successful exploitation of this vulnerability, arbitrary JavaScript code may be executed in the user’s web browser.

RemediationPermanent link for this heading

Fabasoft eGov-SuitePermanent link for this heading

The vulnerability affecting the Fabasoft eGov-Suite can be remediated by installing a hotfix provided by Fabasoft.

Hotfix informationPermanent link for this heading

Fabasoft provides hotfixes for the following Fabasoft eGov-Suite versions:

  • Fabasoft eGov-Suite 2020 Update Rollup 5 (included with 20.1.5.85.51)
  • Fabasoft eGov-Suite 2021 Update Rollup 3 (included with 21.1.3.86.150)
  • Fabasoft eGov-Suite 2022 Update Rollup 2 (included with 22.0.2.75.163)
  • Fabasoft eGov-Suite 2022 Update Rollup 3 (included with 22.0.3.70.40)
  • Fabasoft eGov-Suite 2023 September Release (included with 23.9.0.273.23)
  • Fabasoft eGov-Suite 2023 Update Rollup 1 (included with 23.0.1.81.34)
  • Fabasoft eGov-Suite 2023 Update Rollup 2 (included with 23.0.2.50.82)
  • Fabasoft eGov-Suite 2023 Update Rollup 3 (included with 23.0.3.36.123)
  • Fabasoft eGov-Suite 2024 (included with 24.0.0.214.23)
  • Fabasoft eGov-Suite 2024 April Release (included with 24.4.0.355.22)
  • Fabasoft eGov-Suite 2024 Update Rollup 1 (included with 24.0.1.25.28)

The fix for this vulnerability is already included with the following and newer versions:

  • Fabasoft eGov-Suite 2024 Update Rollup 2
  • Fabasoft eGov-Suite 2024 June Release

Fabasoft Mindbreeze EnterprisePermanent link for this heading

The vulnerability affecting Fabasoft Mindbreeze Enterprise can be remediated by installing Fabasoft Mindbreeze Enterprise version 24.3.1.271 or newer.

For older Fabasoft Mindbreeze Enterprise versions, a remediation by editing a file on the Fabasoft Mindbreeze Enterprise server is available:

  • Open the following file for editing:
  • Linux: /opt/mindbreeze/bin/webapps/client-service/ROOT/apps/scripts/pdfjs-dist/build/pdf.js
  • Windows: C:\Program Files\Mindbreeze\Enterprise Search\Server\webapps\client-service\ROOT\apps\scripts\pdfjs-dist\build\pdf.js
  • Search for line return globalSettings ? globalSettings.isEvalSupported : true;
  • Replace the line with return false;
  • The cache will be removed within 1 hour and the client will use the patched file to open PDF.

If you need further assistance, please open a Fabasoft Support Ticket.