External Control of File Name or Path in Foxit PDF Editor (formerly Foxit PhantomPDF) - #VU83188

 

External Control of File Name or Path in Foxit PDF Editor (formerly Foxit PhantomPDF) - #VU83188

Published: November 15, 2023 / Updated: November 22, 2023


Vulnerability identifier: #VU83188
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-73
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Foxit Software Inc.
Affected software:
Foxit PDF Editor (formerly Foxit PhantomPDF)

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to application allows an attacker to control path of the files to execute when using the  OpenAction method within the PDF file. A remote attacker can trick the victim to open a specially crafted PDF file and execute arbitrary commands on the system.


Remediation

Install updates from vendor's website.

Sources