Abdul-Aziz Hariri of Trend Micro Zero Day InitiativeZDI-20-990Adobe Acrobat Pro DC Web2PDF:AppLinks JavaScript Restrictions Bypass Vulnerability
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
7.1 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
COMPLETE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:C/A:N
0.001 Low
EPSS
Percentile
48.5%
This vulnerability allows remote attackers to bypass JavaScript API restrictions on affected installations of Adobe Acrobat Pro DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within a hidden menu item. By performing actions in JavaScript, an attacker can cause the parsing of arbitrary HTML documents. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
7.1 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
COMPLETE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:C/A:N
0.001 Low
EPSS
Percentile
48.5%