This issue has been assigned Common Vulnerability Scoring System rating of 7.5. Attackers could exploit this vulnerability to take over the affected system in order to obtain sensitive information or to perform other activities as an authorized user. An attacker could host a malicious dwf or .pct file on a network share and when accessed through the DesignReview.exe application, it could lead to information disclosure or elevation of privileges.
Additionally, this issue has been assigned Common Vulnerability Scoring System rating of 10.0 due to the fact that the dwf or .pct file could also be exploited using cross-process scripting vulnerability. In order to exploit this issue, an attacker would have to supply crafted dwf or .pct file to the user who is using DesignReview.exe application.
Vulnerability details
This issue occurs when the load-time script is not properly validated and does not check for the presence of a required parameter.
DesignReview.exe File Type: DWF, .PCT
Function: Design Reviewer
Systems Affected: Microsoft Windows 10, 8.1, 8, 7
Vulnerabilities Discovered
This issue was discovered as part of a comprehensive review of the DesignReview application. This vulnerability was reported by our team to the vendor in February 2015, who responded with an acknowledgement of receipt.
Vulnerability overview
The Design Review application has a vulnerability that could allow an attacker to take over the affected system and obtain sensitive information or perform other activities as an authorized user. This issue affects all Windows operating systems running the dwf or .pct file through the designreview.exe application.
An attacker would need to craft a malicious dwf or .pct file and then supply it to a user in order for them to exploit this vulnerability. If an attacker used this method, they would have to target someone who scheduled a review within the DesignReview application.
Dependencies
DesignReview.exe application has the following dependencies:
- Microsoft .NET Framework 4.5 or higher
- Adobe Acrobat Reader DC or Pro
- Microsoft Office 2007 Service Pack 3 (SP3)
Timeline
Published on: 10/21/2022 16:15:00 UTC
Last modified on: 10/24/2022 14:11:00 UTC