cbcvebase.
CVE-2024-45508
published 2024-09-01

CVE-2024-45508: HTMLDOC before 1.9.19 has an out-of-bounds write in parse_paragraph in ps-pdf.cxx because of an attempt to strip leading whitespace from a whitespace-only node.

PriorityP345critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.71%
48.7th percentile
HTMLDOC before 1.9.19 has an out-of-bounds write in parse_paragraph in ps-pdf.cxx because of an attempt to strip leading whitespace from a whitespace-only node.

Affected

10 ranges
VendorProductVersion rangeFixed in
debianhtmldoc< htmldoc 1.9.18-2 (forky)htmldoc 1.9.18-2 (forky)
htmldoc_projecthtmldoc< 1.9.191.9.19
htmldoc_projecthtmldoc>= 0 < 1.9.18-21.9.18-2
htmldoc_projecthtmldoc>= 0 < 1.9.18-21.9.18-2
htmldoc_projecthtmldoc>= 0 < 1.8.27-8ubuntu1+esm41.8.27-8ubuntu1+esm4
htmldoc_projecthtmldoc>= 0 < 1.8.27-8ubuntu1.1+esm31.8.27-8ubuntu1.1+esm3
htmldoc_projecthtmldoc>= 0 < 1.9.2-1ubuntu0.2+esm21.9.2-1ubuntu0.2+esm2
htmldoc_projecthtmldoc>= 0 < 1.9.7-1ubuntu0.3+esm21.9.7-1ubuntu0.3+esm2
htmldoc_projecthtmldoc>= 0 < 1.9.15-1ubuntu0.1~esm11.9.15-1ubuntu0.1~esm1
htmldoc_projecthtmldoc>= 0 < 1.9.17-1ubuntu0.1~esm11.9.17-1ubuntu0.1~esm1

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.