Remote Code Execution Vulnerability in Foxit PhantomPDF by Foxit Software
CVE-2021-27268
7.8HIGH
Summary
This vulnerability enables remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF, specifically version 10.1.0.37527. Exploitation is contingent upon user interaction, requiring the victim to visit a malicious website or open a compromised file. The flaw is rooted in the improper handling of U3D objects within PDF files, where the absence of validation for the existence of the object prior to operational commands can be manipulated by an attacker. This flaw poses significant risks as the code execution occurs within the context of the current user process, potentially allowing for unauthorized actions and data access.
Affected Version(s)
PhantomPDF 10.1.0.37527
References
CVSS V3.1
Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Mat Powell of Trend Micro Zero Day Initiative