Foxit Reader Use-After-Free Vulnerability Can Lead to Arbitrary Code Execution
CVE-2024-28888

8.8HIGH

Key Information:

Vendor
Foxit
Vendor
CVE Published:
2 October 2024

Summary

A use-after-free vulnerability exists in Foxit Reader, specifically in the handling of checkbox field objects. Attackers can exploit this flaw by embedding specially crafted JavaScript code in malicious PDF documents, which can lead to memory corruption and arbitrary code execution on the victim's system. Users can be targeted through social engineering to open these malicious files, or by visiting malicious websites where the risk increases if the browser's Foxit Reader plugin is enabled. Awareness and caution are essential to mitigate the risk posed by this vulnerability.

Affected Version(s)

Foxit Reader 2024.1.0.23997

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

Credit

Discovered by KPC of Cisco Talos.
.