[WEBUI-1587] Prevent PDF preview to run malicious javascript - Nuxeo Issue Tracker

Starting October 25th, 2024, all support issues must be submitted through Hyland Community. To submit a support case through Hyland Community, you'll need to create a Hyland ID. Please note that the Nuxeo Jira site will enter read-only mode at 5:00 PM on October 25th and will remain in this state indefinitely. During this transition, access to Jira Projects will be temporarily unavailable. We will provide a new site and link to view Jira issues by November 8th, 2024. Further details on accessing the new platform will be shared closer to that date.

XML

Word

Printable

Details

Type: Bug
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 3.0.0, 3.1.0
Fix Version/s: 3.0.x, 3.1.x
Component/s: Web UI

Tags:
- SupCom
- nxUI
- nxui-triaged
- security
Backlog priority:
500
Team:
UI
Sprint:
UI - 2024-11

Description

Steps to reproduce :

create a File document with the attached PDF : payload1.pdf
observe that a javascript popup is displayed: it corresponds to an example of malicious script included in the PDF which is displayed by the previewer (pdf.js)

Expected behavior: the malicious script included in a PDF are not executed during the preview

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

payload1.pdf
2024-10-07 13:03
13 kB
Thierry Martins

Issue Links

is related to

WEBUI-1532 [PDF.js] Analyze and fix CVE-2024-4367 with PDF.js

Open

Activity

People

Assignee:

Unassigned

Reporter:

Thierry Martins

Participants:

Bertrand Chauvin, Thierry Martins

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

2024-10-07 13:03

Updated:

Yesterday 06:41