#VU87283 Command Injection in Foxit PDF Reader for Windows and Foxit PDF Editor (formerly Foxit PhantomPDF)


Published: 2024-03-08

Vulnerability identifier: #VU87283

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-25858

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Foxit PDF Reader for Windows
Client/Desktop applications / Office applications
Foxit PDF Editor (formerly Foxit PhantomPDF)
Client/Desktop applications / Office applications

Vendor: Foxit Software Inc.

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when processing JavaScript inside PDF files. A remote attacker can trick the victim to open a specially crafted PDF file and execute arbitrary commands with malicious parameters.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Foxit PDF Reader for Windows: 10.0.0.35798 - 2023.3.0.23028

Foxit PDF Editor (formerly Foxit PhantomPDF): 2023.1.0.15510 - 2023.3.23028, 13.0.0.21632 - 13.0.1.61866, 12.0.0.0601 - 12.1.4.15400, 11.0.0.0510 - 11.2.8.53842, 10.0.0.35798 - 10.1.12.37872


External links
http://www.foxit.com/support/security-bulletins.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability