Arbitrary File Creation Vulnerability in Foxit Reader by Foxit Software
CVE-2023-40194

8.8HIGH

Key Information:

Vendor: Foxit
Status: Foxit Reader
Vendor: CVE Published:; 27 November 2023

Summary

An arbitrary file creation vulnerability exists within the JavaScript exportDataObject API of Foxit Reader 12.1.3.15356 caused by the improper handling of whitespace characters. This flaw enables attackers to craft malicious files that can create files at arbitrary system locations, potentially leading to arbitrary code execution. An exploitation attempt requires the user to open the compromised file, or visit a specially crafted website that leverages the browser plugin extension, posing significant security risks.

Affected Version(s)

Foxit Reader 12.1.3.15356

References

https://talosintelligence.com/vulnerability_reports/TALOS...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 27, 2023
Vulnerability Reserved
Aug 15, 2023

Credit

Discovered by Kamlapati Choubey of Cisco Talos.