Remote Code Execution Vulnerability in Kofax Power PDF Due to BMP File Parsing
CVE-2023-51569

7.8HIGH

Key Information:

Vendor: Kofax
Status: Power PDF
Vendor: CVE Published:; 3 May 2024

Summary

A vulnerability in Kofax Power PDF allows remote attackers to execute arbitrary code on systems using affected versions of the software through an out-of-bounds write caused by improper validation of BMP file parsing. This vulnerability necessitates user interaction, as an attacker must entice the user to open a malicious BMP file or visit an attacker-controlled page containing such a file. If exploited, this flaw could enable an attacker to execute code within the context of the current user’s process, potentially compromising sensitive information and system integrity.

Affected Version(s)

Power PDF 5.0.0.57 (5.0.0.10.0.23307)

References

https://www.zerodayinitiative.com/advisories/ZDI-24-007/

x_research-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 3, 2024