Use-After-Free Vulnerability in Foxit Reader by Foxit Software
CVE-2023-38573

8.8HIGH

Key Information:

Vendor
Foxit
Vendor
CVE Published:
27 November 2023

Summary

A use-after-free vulnerability exists in Foxit Reader 12.1.2.15356 that affects the handling of signature fields. An attacker can exploit this flaw by crafting a malicious PDF containing specially formed JavaScript code. If a user opens this PDF, it can trigger the reuse of a freed object, leading to memory corruption and arbitrary code execution. Notably, exploitation can also occur via a compromised website where the user has the Foxit Reader browser plugin enabled. Users must exercise caution and avoid opening suspicious files to mitigate the risks associated with this vulnerability.

Affected Version(s)

Foxit Reader 12.1.3.15356

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Discovered by Aleksandar Nikolic and KPC of Cisco Talos.
.