Remote Code Execution Vulnerability in Kofax Power PDF Due to PDF File Parsing
CVE-2023-44432

7.8HIGH

Key Information:

Vendor: Kofax
Status: Power PDF
Vendor: CVE Published:; 3 May 2024

Summary

The vulnerability involves a remote code execution flaw in Kofax Power PDF stemming from improper validation when parsing PDF files. Attackers can exploit this vulnerability by convincing users to open a specially crafted PDF document or visit a malicious website. The lack of adequate controls on user-supplied data can lead to an out-of-bounds write, potentially allowing unauthorized code execution within the context of the affected program. This poses significant security risks for organizations relying on Kofax Power PDF for handling documents, emphasizing the need for immediate patching and preventive measures.

Affected Version(s)

Power PDF 5.0.0.57 (5.0.0.10)

References

https://www.zerodayinitiative.com/advisories/ZDI-23-1606/

x_research-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 3, 2024
Vulnerability Reserved
Sep 28, 2023