Path traversal in Foxit PDF Reader for Windows and Foxit PDF Editor (formerly Foxit PhantomPDF) - #VU72
Published: July 1, 2016 / Updated: November 22, 2018
Vulnerability identifier: #VU72
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Foxit Software Inc.
Affected software:
Foxit PDF Reader for Windows
Foxit PDF Editor (formerly Foxit PhantomPDF)
Foxit PDF Reader for Windows
Foxit PDF Editor (formerly Foxit PhantomPDF)
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on vulnerable installations of Foxit Reader.
The vulnerability exists due to Foxit Reader does not properly check the path passed to exportData. A remote unauthenticated attacker can execute arbitrary code by tricking a victim to visit a malicious page or open a malicious file.
Successful exploitation of this vulnerability may result in arbitrary code execution on the target system.
The vulnerability exists due to Foxit Reader does not properly check the path passed to exportData. A remote unauthenticated attacker can execute arbitrary code by tricking a victim to visit a malicious page or open a malicious file.
Successful exploitation of this vulnerability may result in arbitrary code execution on the target system.
Remediation
Update your applications to the latest versions, which can be found at:
https://www.foxitsoftware.com/support/security-bulletins.php
https://www.foxitsoftware.com/support/security-bulletins.php