Use of Uninitialized Variable in Foxit Studio Photo

#VU52355 Use of Uninitialized Variable in Foxit Studio Photo

Published: 2021-04-20 | Updated: 2021-04-27

Vulnerability identifier: #VU52355

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2021-31435

CWE-ID: CWE-457

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Foxit Studio Photo
Client/Desktop applications / Office applications

Vendor: Foxit Software Inc.

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an uninitialized variable within the parsing of CMP files. A remote attacker can trick the victim to open a specially crafted CMP file and execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Foxit Studio Photo: 3.6.6.918 - 3.6.6.933

CPE

cpe:2.3:a:foxit_software:foxit_studio_photo:3.6.6.933:*:*:*:*:*:*:*

External links
http://www.foxitsoftware.com/support/security-bulletins.html?Security+update+available+in+Foxit+Studio+Photo+3.6.6.9342021-04-20+00%3A00%3A00
http://www.zerodayinitiative.com/advisories/ZDI-21-478/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in Foxit Studio Photo