Foxit Reader Use-After-Free Vulnerability Can Lead to Arbitrary Code Execution

CVE-2024-28888

8.8HIGH

Key Information

Vendor: Foxit
Status: Foxit Reader
Vendor: CVE Published:; 2 October 2024

Summary

A use-after-free vulnerability exists in the way Foxit Reade 2024.1.0.23997 handles a checkbox field object. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

Affected Version(s)

Foxit Reader = 2024.1.0.23997

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Risk change from: null to: 8.8 - (HIGH)
Oct 3, 2024
Vulnerability published.
Oct 2, 2024

Collectors

NVD DatabaseMitre Database

Credit

Discovered by KPC of Cisco Talos.