Lucene search

[email protected]CVE-2020-17415

HistoryOct 13, 2020 - 5:15 p.m.

CVE-2020-17415

2020-10-1317:15:14

CWE-732

[email protected]

web.nvd.nist.gov

foxit phantompdf

vulnerability

privilege escalation

cve-2020-17415

security issue

zdi-can-11308

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

28.5%

JSON

This vulnerability allows local attackers to escalate privileges on affected installations of Foxit PhantomPDF 10.0.0.35798. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of the configuration files used by the Foxit PhantomPDF Update Service. The issue results from incorrect permissions set on a resource used by the service. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM. Was ZDI-CAN-11308.

Affected configurations

Vulners

NVD

Node

foxitphantompdfRange≤10.0.0.35798

CPENameOperatorVersion
foxitsoftware:foxit_readerfoxitsoftware foxit readerle10.0.1.35811
foxitsoftware:phantompdffoxitsoftware phantompdfle10.0.1.35811

CPE	Name	Operator	Version
foxitsoftware:foxit_reader	foxitsoftware foxit reader	le	10.0.1.35811
foxitsoftware:phantompdf	foxitsoftware phantompdf	le	10.0.1.35811

CNA Affected

[
  {
    "product": "PhantomPDF",
    "vendor": "Foxit",
    "versions": [
      {
        "status": "affected",
        "version": "10.0.0.35798"
      }
    ]
  }
]