Fabasoft Tackles PDF.js Vulnerability (CVE-2024-4367), Safeguarding eGovernment and Enterprise Search Solutions
Fabasoft, a leading provider of document management and enterprise search solutions, has released security advisories addressing a high-severity vulnerability (CVE-2024-4367) in the widely used PDF.js library. This vulnerability, discovered by Codean Labs, could allow attackers to execute arbitrary JavaScript code in a user’s web browser when opening a malicious PDF file.
Vulnerability Details
Security researchers from Codean Labs revealed the technical details and proof-of-concept (PoC) exploit for CVE-2024-4367. The vulnerability originates from a missing type check when handling fonts in the PDF.js library, a popular JavaScript-based PDF viewer maintained by Mozilla. This flaw allows attackers to execute arbitrary JavaScript code within the PDF.js context, potentially compromising the user’s system.
This vulnerability affects all Firefox users running versions below 126, as well as numerous web- and Electron-based applications utilizing PDF.js for preview functionality, including Fabasoft’s eGov-Suite and Mindbreeze Enterprise.
Impact on Fabasoft Products
The vulnerability affects the following Fabasoft products:
- Fabasoft eGov-Suite: Versions up to 2024 Update Rollup 1
- Fabasoft Mindbreeze Enterprise: Versions up to 24.3.0.268
Mitigation and Remediation
Fabasoft has proactively addressed the vulnerability by providing hotfixes for various versions of the Fabasoft eGov-Suite. Users are strongly advised to install the relevant hotfix for their specific version to mitigate the risk.
For Fabasoft Mindbreeze Enterprise, upgrading to version 24.3.1.271 or newer is the recommended solution. As an alternative for older versions, Fabasoft has provided instructions for manually editing a file on the server to disable the vulnerable functionality.
Urgency and Recommendations
Due to the high severity of this vulnerability and the potential for widespread exploitation, Fabasoft customers are urged to apply the provided patches or mitigations as soon as possible. Failing to do so could leave their systems vulnerable to malicious attacks, potentially leading to data breaches, unauthorized access, and other security incidents.
Organizations utilizing Fabasoft eGov-Suite or Mindbreeze Enterprise should prioritize updating their software and implement any additional security measures recommended by Fabasoft. This proactive approach will significantly reduce the risk of compromise and ensure the continued integrity of their systems and data.
