Kaspersky LabKLA11237KLA11237 Multiple vulnerabilities in Foxit Reader and Foxit PhantomPDF
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
0.542 Medium
EPSS
Percentile
97.6%
Multiple serious vulnerabilities have been found in Foxit Reader and Foxit PhantomPDF. Malicious users can exploit these vulnerabilities to obtain sensitive information, cause denial of service and execute arbitrary code.
Below is a complete list of vulnerabilities:
- An unsafe DLL loading vulnerability can be exploited remotely to execute arbitrary code;
- A heap buffer overflow can be exploited remotely to execute arbitrary code;
- Multiple use-after-free vulnerabilities can be exploited remotely to execute arbitrary code;
- An uninitialized memory/pointer vulnerability can be exploited remotely to obtain sensitive information and execute arbitrary code;
- An out-of-bounds read/write vulnerability can be exploited remotely to obtain sensitive information and execute arbitrary code;
- Multiple type confusion vulnerabilities can be exploited remotely to cause denial of service and execute arbitrary code;
- An use-after-free vulnerability can be exploited remotely to obtain sensitive information and execute arbitrary code;
- Multiple unspecified vulnerabilities can be exploited remotely to obtain sensitive information and execute arbitrary code;
Original advisories
Related products
CVE list
CVE-2018-3850 high
CVE-2018-3842 high
CVE-2018-3843 high
CVE-2018-10302 high
CVE-2018-10303 high
CVE-2018-3853 high
CVE-2017-17557 high
CVE-2017-14458 high
Solution
Update to the latest versionDownload Foxit PhantomPDF
Impacts
- ACE
Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.
- OSI
Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.
- DoS
Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.
Affected Products
- Foxit Reader earlier than 9.1.0.5096Foxit PhantomPDF earlier than 9.1.0.5096
Related
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
0.542 Medium
EPSS
Percentile
97.6%