CVE-2024-1648

electron-pdf version 20.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the HTML content entered by the user.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://fluidattacks.com/advisories/drake	Exploit Third Party Advisory
https://www.npmjs.com/package/electron-pdf/	Product
https://fluidattacks.com/advisories/drake	Exploit Third Party Advisory
https://www.npmjs.com/package/electron-pdf/	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:fraserxu:electron-pdf:20.0.0:*:*:*:*:node.js:*:*

History

12 Feb 2025, 17:02

Type	Values Removed	Values Added
CPE		cpe:2.3:a:fraserxu:electron-pdf:20.0.0:::::node.js::
First Time		Fraserxu electron-pdf Fraserxu
CWE		NVD-CWE-noinfo
References	~~() https://fluidattacks.com/advisories/drake -~~	() https://fluidattacks.com/advisories/drake - Exploit, Third Party Advisory
References	~~() https://www.npmjs.com/package/electron-pdf/ -~~	() https://www.npmjs.com/package/electron-pdf/ - Product

21 Nov 2024, 08:51

Type	Values Removed	Values Added
References	~~() https://fluidattacks.com/advisories/drake -~~	() https://fluidattacks.com/advisories/drake -
References	~~() https://www.npmjs.com/package/electron-pdf/ -~~	() https://www.npmjs.com/package/electron-pdf/ -

20 Feb 2024, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-20 01:15

Updated : 2025-02-12 17:02

NVD link : CVE-2024-1648

Mitre link : CVE-2024-1648

CVE.ORG link : CVE-2024-1648

JSON object : View

Products Affected

fraserxu

electron-pdf

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NVD-CWE-noinfo

7.5 /10