CVE-2023-39542

2023-11-2716:15:10

CWE-610

CWE-73

talos

web.nvd.nist.gov

cve-2023-39542

foxit reader

code execution

javascript

rce

nvd

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.003

Percentile

70.6%

JSON

A code execution vulnerability exists in the Javascript saveAs API of Foxit Reader 12.1.3.15356. A specially crafted malformed file can create arbitrary files, which can lead to remote code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

Affected configurations

Nvd

Vulners

Node

foxitsoftwarefoxit_readerMatch12.1.3.15356

VendorProductVersionCPE
foxitsoftwarefoxit_reader12.1.3.15356cpe:2.3:a:foxitsoftware:foxit_reader:12.1.3.15356:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
foxitsoftware	foxit_reader	12.1.3.15356	cpe:2.3:a:foxitsoftware:foxit_reader:12.1.3.15356:::::::*

CNA Affected

[
  {
    "vendor": "Foxit",
    "product": "Foxit Reader",
    "versions": [
      {
        "version": "12.1.3.15356",
        "status": "affected"
      }
    ]
  }
]