Remote Code Execution Vulnerability in Kofax Power PDF Due to U3D File Parsing
CVE-2023-51597

7.8HIGH

Key Information:

Vendor: Kofax
Status: Power PDF
Vendor: CVE Published:; 3 May 2024

Summary

A vulnerability in Kofax Power PDF related to U3D file parsing allows remote attackers to execute arbitrary code on affected installations. The flaw arises from inadequate validation of user-supplied data, enabling an out-of-bounds write that can occur when a user opens a specially crafted U3D file. Although user interaction is required, this vulnerability presents significant risks as it can allow an attacker to run code in the context of the current process, potentially compromising the integrity and confidentiality of the system.

Affected Version(s)

Power PDF 5.0.0.57 (5.0.0.10)

References

https://www.zerodayinitiative.com/advisories/ZDI-23-1906/

x_research-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 3, 2024