Remote Code Execution Vulnerability in Foxit PhantomPDF by Foxit Software
CVE-2021-27268

7.8HIGH

Key Information:

Vendor
Foxit
Vendor
CVE Published:
30 March 2021

Summary

This vulnerability enables remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF, specifically version 10.1.0.37527. Exploitation is contingent upon user interaction, requiring the victim to visit a malicious website or open a compromised file. The flaw is rooted in the improper handling of U3D objects within PDF files, where the absence of validation for the existence of the object prior to operational commands can be manipulated by an attacker. This flaw poses significant risks as the code execution occurs within the context of the current user process, potentially allowing for unauthorized actions and data access.

Affected Version(s)

PhantomPDF 10.1.0.37527

References

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Mat Powell of Trend Micro Zero Day Initiative
.