CVE-2021-41784 Foxit PDF Reader and Editor before 11.1 and PhantomPDF 10.1.6 allow attackers to trigger a use after free and execute arbitrary code.

CVE-2019-9274 Foxit has been notified that JavaScript in PhantomPDF before 10.1.6 and Foxit Reader before 11.1 allows a remote attacker to trigger a use-after-free and execute arbitrary code because the Foxit software does not properly handle objects in memory during script execution. Foxit has been notified that PhantomPDF before 10.1.6 and Foxit Reader before 11.1 allow a remote attacker to execute arbitrary code via a crafted PDF file because the PDF file does not properly handle JavaScript during script execution. Foxit has been notified that PhantomPDF before 10.1.6 and Foxit Reader before 11.1 allow a remote attacker to execute arbitrary code via a crafted PDF file because the PDF file does not properly handle JavaScript during script execution. Foxit has been notified that PhantomPDF before 10.1.6 and Foxit Reader before 11.1 allow a remote attacker to execute arbitrary code via a crafted PDF file because the PDF file does not properly handle JavaScript during script execution. - CVE-2019-9275 Foxit has been notified that PhantomPDF before 10.1.6 and Foxit Reader before 11.1 allow a remote attacker to execute arbitrary code via a crafted PDF file because the PDF file does not properly handle JavaScript during script execution. Foxit has been notified that PhantomPDF before 10.1.6 and Foxit Reader before 11.1 allow a remote attacker to execute arbitrary code via a crafted PDF file because the PDF file

References

- CVE-2019-9274
- CVE-2019-9275

Vulnerability details br

The vulnerability affects all versions of PhantomPDF before 10.1.6 and Foxit Reader before 11.1. It was discovered during internal testing and has not been exploited in the wild.

Solution description:

To fix the vulnerabilities, Foxit has released the following updates:
Foxit Reader 11.1 is the first update of this product in the 11.x series and includes all previous updates to fix these vulnerabilities.

- Release date: 12-Feb-2019
- Fixed: CVE-2019-9275
- Fixed: CVE-2019-9274

Summary

Foxit has been notified that PhantomPDF before 10.1.6 and Foxit Reader before 11.1 allow a remote attacker to execute arbitrary code via a crafted PDF file because the PDF file does not properly handle JavaScript during script execution.
This particular issue is rated critical because it could allow an attacker to gain access to sensitive information, take control of the affected system, cause a denial of service condition, or potentially disclose sensitive information such as passwords and session tokens.

Timeline

Published on: 08/29/2022 05:15:00 UTC
Last modified on: 09/02/2022 12:54:00 UTC

References

• https://www.foxit.com/support/security-bulletins.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41784