jsPDF has PDF Object Injection via Unsanitized Input in addJS Method

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in jspdf@4.2.0. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

对生成代码的控制不恰当(代码注入)

jsPDF 安全漏洞

jsPDF是Parallax开源的一款基于JavaScript的PDF文档生成库。 jsPDF 4.2.0之前版本存在安全漏洞，该漏洞源于addJS方法对用户输入处理不当，可能导致注入任意PDF对象。

N/A

N/A