CVE-2023-24304: 
IrfanView vulnerability analysis and mitigation

A critical vulnerability (CVE-2023-24304) was discovered in IrfanView version 4.60's PDF.dll plugin, which allows attackers to execute arbitrary code through crafted PDF files. The vulnerability was identified in March 2023 and affects the PDF plugin, which is not included by default but requires manual download and activation by users (Fraunhofer Advisory, NVD).

The vulnerability stems from improper input validation in the PDF.dll plugin of IrfanView v4.60. It has been assigned a CVSS v3.1 base score of 7.8 (HIGH), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-20 (Improper Input Validation) (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code on the target system when a user opens a specially crafted PDF file. The high CVSS score indicates potential severe impacts on system confidentiality, integrity, and availability (NVD).

The vulnerability has been fixed in IrfanView version 4.61. Users are advised to upgrade to this version to protect against potential attacks. Since the vulnerable PDF.dll plugin is not shipped with IrfanView by default, users who haven't downloaded and activated the plugin are not affected (Fraunhofer Advisory).