CVE-2024-9283

A vulnerability (CVE-2024-9283) has been identified in RelaxedJS ReLaXed, a tool that creates PDF documents using web technologies like HTML, Pug, and JavaScript [1]. The flaw affects version 0.2.2 and earlier, specifically in the Pug to PDF Converter component [2]. The exact function is not specified, but the manipulation leads to cross-site scripting (XSS) [2].

The attack vector is local, meaning an attacker would need local access to the system running ReLaXed to exploit this vulnerability [2]. The exploit has been publicly disclosed, increasing the risk of its use [2]. As a local XSS, the attacker could inject malicious scripts into the PDF generation process, potentially affecting the generated PDF or the local environment.

The impact is classified as problematic with a low severity CVSS v3 score of 3.3 [2]. An attacker with local access could potentially execute arbitrary JavaScript in the context of the PDF generation, which might lead to information disclosure or further local compromise. The vendor, RelaxedJS, has not released a patched version; users should review the repository [1] for updates or apply mitigations such as restricting local access.