Use-After-Free Vulnerability in Foxit PDF Reader Software
CVE-2023-28744

8.8HIGH

Key Information:

Vendor
Foxit
Vendor
CVE Published:
19 July 2023

Summary

A use-after-free vulnerability in the JavaScript engine of Foxit Software's PDF Reader (version 12.1.1.15289) enables attackers to exploit memory issues by crafting malicious PDF documents. When a user opens a compromised file or visits a dangerous website with the browser plugin enabled, the vulnerability can trigger reuse of previously released memory through specific manipulations of form fields. This can result in memory corruption, potentially allowing for arbitrary code execution, putting user systems at risk.

Affected Version(s)

Foxit Reader 12.1.1.15289

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Discovered by Aleksandar Nikolic of Cisco Talos.
.