Arbitrary File Creation Vulnerability in Foxit Reader by Foxit Software
CVE-2023-40194

8.8HIGH

Key Information:

Vendor
Foxit
Vendor
CVE Published:
27 November 2023

Summary

An arbitrary file creation vulnerability exists within the JavaScript exportDataObject API of Foxit Reader 12.1.3.15356 caused by the improper handling of whitespace characters. This flaw enables attackers to craft malicious files that can create files at arbitrary system locations, potentially leading to arbitrary code execution. An exploitation attempt requires the user to open the compromised file, or visit a specially crafted website that leverages the browser plugin extension, posing significant security risks.

Affected Version(s)

Foxit Reader 12.1.3.15356

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Discovered by Kamlapati Choubey of Cisco Talos.
.