Multiple vulnerabilities in Foxit PDF Reader and Editor for Mac



Published: 2022-11-01
Risk Low
Patch available YES
Number of vulnerabilities 4
CVE-ID N/A
CWE-ID CWE-476
CWE-125
CWE-119
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Foxit Reader for Mac
Client/Desktop applications / Office applications

Foxit PDF Editor for Mac (formerly PhantomPDF)
Client/Desktop applications / Office applications

Vendor Foxit Software Inc.

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) NULL pointer dereference

EUVDB-ID: #VU68899

Risk: Low

CVSSv3.1:

CVE-ID: N/A

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when handling certain JavaScripts. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Foxit Reader for Mac: 11.0.0.0510 - 12.0.1.0720

Foxit PDF Editor for Mac (formerly PhantomPDF): 12.0.0.0601 - 12.0.1.0720


CPE2.3 External links

http://www.foxitsoftware.com/support/security-bulletins.html?Security+updates+available+in+Foxit+PDF+Editor+for+Mac+12.0.2+and+Foxit+PDF+Reader+for+Mac+12.0.2+2022-11-01+00%3A00%3A00

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) NULL pointer dereference

EUVDB-ID: #VU68900

Risk: Low

CVSSv3.1:

CVE-ID: N/A

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when parsing certain PDF files whose colSpan attribute is set beyond the maximum length allowed. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Foxit Reader for Mac: 11.0.0.0510 - 12.0.1.0720

Foxit PDF Editor for Mac (formerly PhantomPDF): 12.0.0.0601 - 12.0.1.0720


CPE2.3 External links

http://www.foxitsoftware.com/support/security-bulletins.html?Security+updates+available+in+Foxit+PDF+Editor+for+Mac+12.0.2+and+Foxit+PDF+Reader+for+Mac+12.0.2+2022-11-01+00%3A00%3A00

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

3) Out-of-bounds read

EUVDB-ID: #VU68901

Risk: Low

CVSSv3.1:

CVE-ID: N/A

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to crash the application.

The vulnerability exists due to a boundary condition when parsing U3D files. A remote attacker can create a specially crafted U3D file, trick the victim into opening it, trigger an out-of-bounds read error and crash the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Foxit PDF Editor for Mac (formerly PhantomPDF): 11.0.1.0719 - 12.0.1.0720

Foxit Reader for Mac: 12.0.0.0601 - 12.0.1.0720


CPE2.3 External links

http://www.foxitsoftware.com/support/security-bulletins.html?Security+updates+available+in+Foxit+PDF+Editor+for+Mac+12.0.2+and+Foxit+PDF+Reader+for+Mac+12.0.2+2022-11-01+00%3A00%3A00

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

4) Stack exhaustion

EUVDB-ID: #VU68902

Risk: Low

CVSSv3.1:

CVE-ID: N/A

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to crash the application.

The vulnerability exists due to a boundary condition when handling certain PDF files containing a field that is formatted as “Percent” with an overly large value, or due to the infinite recursion resulting from the incorrect hierarchy structure of nodes when handling certain PDF or XFA files.. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger a buffer overflow and crash the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Foxit PDF Editor for Mac (formerly PhantomPDF): 11.0.1.0719 - 12.0.1.0720

Foxit Reader for Mac: 12.0.0.0601 - 12.0.1.0720


CPE2.3 External links

http://www.foxitsoftware.com/support/security-bulletins.html?Security+updates+available+in+Foxit+PDF+Editor+for+Mac+12.0.2+and+Foxit+PDF+Reader+for+Mac+12.0.2+2022-11-01+00%3A00%3A00

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###