This issue could result in remote code execution if a user were tricked into visiting a specially crafted website. In order to be exploited, a user would have to click on a specially crafted link, which could result in an attacker coercing a user into visiting a specially crafted website with the goal of exploiting the issue. This issue was resolved in OTFCC 10.0.2.

OTFCC 10.0.2 was released on May 5, 2018 with the following change: OTFCC 10.0.2 was released on May 5, 2018 with the following change: - Fix heap buffer overflow in otfccdump. Reported via OTFCC commit 617837b.

CVE-2018-11661 An issue was discovered in Open Type Font Creator (OTFCC) 10.0.2. An attacker could leverage this vulnerability to execute arbitrary code on a target system. This vulnerability is accessible via the following vectors: The attacker could host a specially crafted website that when visited by a user could lead to this issue. The attacker could also send specially crafted messages to a user via email or other means of messaging. In all cases, an attacker would have to convince a user to visit a specially crafted website or message to leverage this issue. This issue exists due to insufficient validation of user-supplied data before using it to execute operating system commands. An attacker could leverage this vulnerability to execute arbitrary code on a target system. OTFCC 10.0.2

Vulnerable Products

The following products are vulnerable: OTFCC 10.0.2

Timeline

Published on: 10/14/2022 12:15:00 UTC
Last modified on: 10/15/2022 02:13:00 UTC

References