Foxit PDF Reader Update Service Incorrect Permission Assignment Local Privilege Escalation Vulnerability
CVE-2024-9245

7.8HIGH

Key Information:

Vendor
Foxit
Status
PDF Reader
Vendor
CVE Published:
22 November 2024

Summary

The flaw in the Foxit PDF Reader Update Service arises from incorrect permissions assigned to the configuration files. This misconfiguration allows local attackers, who have acquired the ability to execute low-privileged code, to exploit the vulnerability for privilege escalation. By leveraging this security gap, malicious actors can execute arbitrary code at the SYSTEM level, thereby gaining elevated rights on the affected installations. It is crucial for users to ensure their software is up-to-date and to apply available security patches to mitigate risks associated with this vulnerability. Further information can be referenced in the advisory published by Zero Day Initiative and Foxit's own security bulletin.

Affected Version(s)

PDF Reader 2024.2.0.25138

References

https://www.zerodayinitiative.com/advisories/ZDI-24-1297/
x_research-advisory
https://www.foxit.com/support/security-bulletins.html
vendor-advisory

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

Collectors

NVD DatabaseMitre Database
.