Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-4367 — Improper Check for Unusual or Exceptional Conditions in Mozilla Firefox

CWE-754 — Improper Check for Unusual or Exceptional Conditions CWE-79 — Cross-site Scripting19 documents11 sources

Severity

8.8HIGHNVD

EPSS

34.6%

top 2.99%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird +4 more

Timeline

PublishedMay 14

Latest updateJun 26

Description

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages9 packages

▶CVEListV5mozilla/firefoxunspecified — 126

▶NVDmozilla/firefox< 115.11.0+1

▶CVEListV5mozilla/firefox_esrunspecified — 115.11

▶CVEListV5mozilla/thunderbirdunspecified — 115.11

▶NVDmozilla/thunderbird< 115.11.0

Also affects: Debian Linux 10.0

🔴Vulnerability Details

GHSA

Gogs XSS allowed by stored call in PDF renderer↗2025-06-26

▶

GHSA

Arbitrary JavaScript execution due to using outdated libraries↗2024-06-05

▶

OSV

Arbitrary JavaScript execution due to using outdated libraries↗2024-06-05

▶

OSV

thunderbird vulnerabilities↗2024-05-22

▶

CVEList

CVE-2024-4367: A type check was missing when handling fonts in PDF↗2024-05-14

▶

💥Exploits & PoCs

Exploit-DB

Firefox ESR 115.11 - PDF.js Arbitrary JavaScript execution↗2025-04-22

▶

🔍Detection Rules

Suricata

ET EXPLOIT Firefox ESR PDF.js Arbitrary Javascript Execution (CVE-2024-4367)↗2025-05-22

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2024-05-22

▶

Ubuntu

Firefox vulnerabilities↗2024-05-21

▶

Red Hat

Mozilla: Arbitrary JavaScript execution in PDF.js↗2024-05-14

▶

Debian

CVE-2024-4367: firefox - A type check was missing when handling fonts in PDF.js, which would allow arbitr...↗2024

▶

Mozilla

Mozilla Foundation Security Advisory 2024-21: CVE-2024-4367↗

▶

📄Research Papers

CTF

Upload / README↗2024

▶