Lucene search

ZdiCVE-2018-9948

HistoryMay 17, 2018 - 3:29 p.m.

CVE-2018-9948

2018-05-1715:29:02

CWE-824

CWE-200

zdi

web.nvd.nist.gov

foxit reader

vulnerability

remote attackers

sensitive information

disclosure

nvd

zdi-can-5380

cve-2018-9948

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

AI Score

7.1

Confidence

High

EPSS

0.719

Percentile

98.1%

JSON

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of typed arrays. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5380.

Affected configurations

Nvd

Vulners

Node

foxitsoftwarefoxit_readerRange≤9.0.1.1049

foxitsoftwarephantompdfRange≤9.0.1.1049

VendorProductVersionCPE
foxitsoftwarefoxit_reader*cpe:2.3:a:foxitsoftware:foxit_reader:*:*:*:*:*:*:*:*
foxitsoftwarephantompdf*cpe:2.3:a:foxitsoftware:phantompdf:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
foxitsoftware	foxit_reader	*	cpe:2.3:a:foxitsoftware:foxit_reader::::::::
foxitsoftware	phantompdf	*	cpe:2.3:a:foxitsoftware:phantompdf::::::::

CNA Affected

[
  {
    "product": "Foxit Reader",
    "vendor": "Foxit",
    "versions": [
      {
        "status": "affected",
        "version": "9.0.0.29935"
      }
    ]
  }
]