Skip to main content

Foxit Reader CVE-2018-14266

HIGH
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2018-07-31 zdi-disclosures@trendmicro.com
8.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jul 31, 2018 - 20:29 nvd
HIGH 8.8

DescriptionNVD

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the importDataObject method. By performing actions in JavaScript, an attacker can trigger a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-6029.

AnalysisAI

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Access of Resource Using Incompatible Type (Type Confusion) vulnerability could allow attackers to execute arbitrary code by exploiting type confusion in the application.

Technical ContextAI

This vulnerability is classified as Access of Resource Using Incompatible Type (Type Confusion) (CWE-843), which allows attackers to execute arbitrary code by exploiting type confusion in the application. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the importDataObject method. By performing actions in JavaScript, an attacker can trigger a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-6029. Affected products include: Foxitsoftware Foxit Reader, Foxitsoftware Phantompdf.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Enforce strict type checking, use type-safe languages, validate object types before operations.

CVE-2015-2790 MEDIUM POC
4.3 Mar 30

Foxit Reader, Enterprise Reader, and PhantomPDF before 7.1 allow remote attackers to cause a denial of service (memory c

CVE-2018-9958 HIGH POC
8.8 May 17

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1

CVE-2017-10952 HIGH POC
8.8 Aug 29

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.2.0.2

CVE-2018-9948 MEDIUM POC
6.5 May 17

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader

CVE-2023-40194 HIGH POC
8.8 Nov 27

An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due

CVE-2023-39542 HIGH POC
8.8 Nov 27

A code execution vulnerability exists in the Javascript saveAs API of Foxit Reader 12.1.3.15356. Rated high severity (CV

CVE-2023-38573 HIGH POC
8.8 Nov 27

A use-after-free vulnerability exists in the way Foxit Reader 12.1.2.15356 handles a signature field. Rated high severit

CVE-2023-35985 HIGH POC
8.8 Nov 27

An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due

CVE-2023-32616 HIGH POC
8.8 Nov 27

A use-after-free vulnerability exists in the way Foxit Reader 12.1.2.15356 handles 3D annotations. Rated high severity (

CVE-2021-21822 HIGH POC
8.8 May 10

A use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 10.1.3.37598. Rat

CVE-2020-13547 HIGH POC
8.8 Dec 22

A type confusion vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 10.1.0.3752

CVE-2020-13570 HIGH POC
8.8 Dec 22

A use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 10.1.0.37527. Rat

Share

CVE-2018-14266 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy