Main Vulnerability Database Vulnerabilities #VU48712

Input validation error in Foxit PDF Editor (formerly Foxit PhantomPDF) and Foxit PDF Reader for Mac - #VU48712

Published: November 30, 2020

Vulnerability identifier: #VU48712

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Foxit Software Inc.

Affected software:
Foxit PDF Editor (formerly Foxit PhantomPDF)
Foxit PDF Reader for Mac

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the application fails to identify the objects in the incremental update when the Subtype entry of the Annotation dictionary is set as null. A remote attacker can perform the Evil Annotation Attack and deliver incorrect validation results when validating certain certified PDF files whose visible content was significantly altered.

Remediation

Install updates from vendor's website.

Sources

https://www.foxitsoftware.com/support/security-bulletins.html?Security+updates+available+in+Foxit+PhantomPDF+Mac+4.1.1+and+Foxit+Reader+Mac+4.1.12020-11-30+00%3A00%3A00

Input validation error in Foxit PDF Editor (formerly Foxit PhantomPDF) and Foxit PDF Reader for Mac - #VU48712

Detailed vulnerability description

Remediation

Sources

Please verify you're human