Use-After-Free Vulnerability in Foxit PDF Reader Software
CVE-2023-28744

8.8HIGH

Key Information:

Vendor: Foxit
Status: Foxit Reader
Vendor: CVE Published:; 19 July 2023

Summary

A use-after-free vulnerability in the JavaScript engine of Foxit Software's PDF Reader (version 12.1.1.15289) enables attackers to exploit memory issues by crafting malicious PDF documents. When a user opens a compromised file or visits a dangerous website with the browser plugin enabled, the vulnerability can trigger reuse of previously released memory through specific manipulations of form fields. This can result in memory corruption, potentially allowing for arbitrary code execution, putting user systems at risk.

Affected Version(s)

Foxit Reader 12.1.1.15289

References

https://talosintelligence.com/vulnerability_reports/TALOS...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jul 19, 2023
Vulnerability Reserved
Mar 28, 2023

Credit

Discovered by Aleksandar Nikolic of Cisco Talos.