SB2016070505 - Multiple vulnerabilities in Foxit Reader and PhantomPDF
Published: July 5, 2016
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Out-of-bounds write (CVE-ID: N/A)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows remote attacker to execute arbitrary code on vulnerable installations of Foxit Reader.
The vulnerability exists within the ConvertToPDF plugin. A remote attacker can cause arbitrary code execution by sending specially crafted GIF image to vulnerable server.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Improper input validation (CVE-ID: N/A)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allow a remote attacker to execute arbitrary code on vulnerable installations of Foxit Reader.
The vulnerability exists within the ConvertToPDF plugin. A remote unauthenticated attacker can cause remote code execution by sending specially crafted JPEG image to vulnerable server.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.