Multiple vulnerabilities in Foxit MobilePDF for iOS

Published: 2017-11-13 12:37:53
Severity Low
Patch available YES
Number of vulnerabilities 2
CVE ID N/A
CVSSv3 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
6.4 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CWE ID CWE-20
CWE-22
Exploitation vector Network
Public exploit N/A
Vulnerable software MobilePDF for iOS
Vulnerable software versions MobilePDF for iOS 2.1.1.0321
MobilePDF for iOS 2.2.0.0616
MobilePDF for iOS 3.0.0.0917

Show more

Vendor URL Foxit Software Inc.

Security Advisory

1) Improper input validation

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to insufficient validation of user-supplied input. A remote attacker can upload a specially crafted file including hexadecimal Unicode character in the “filename” parameter via Wi-Fi and case the application to fail to parse such file name.

Successful exploitation of the vulnerability results in denial of service.

Remediation

Update to version 6.1.

External links

https://www.foxitsoftware.com/support/security-bulletins.php

2) Directory traversal

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to directory traversal. A remote attacker can send a specially crafted HTTP request, abuse the URL + escape character during Wi-Fi transfer, bypass security restrictions and manipulate the local application files maliciously.

Remediation

Update to version 6.1.

External links

https://www.foxitsoftware.com/support/security-bulletins.php

Back to List