Skip to main content

Foxit Reader CVE-2020-13557

HIGH
Use After Free (CWE-416)
2020-12-22 talos-cna@cisco.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Dec 22, 2020 - 18:15 nvd
HIGH 8.8

DescriptionNVD

A use after free vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger reuse of previously free memory which can lead to arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

AnalysisAI

A use after free vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 10.1.0.37527. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Use After Free (CWE-416), which allows attackers to access freed memory to execute arbitrary code or crash the application. A use after free vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger reuse of previously free memory which can lead to arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability. Affected products include: Foxitsoftware Foxit Reader. Version information: version 10.1.0.37527..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use smart pointers or garbage-collected languages. Set pointers to NULL after freeing. Enable memory sanitizers.

CVE-2015-2790 MEDIUM POC
4.3 Mar 30

Foxit Reader, Enterprise Reader, and PhantomPDF before 7.1 allow remote attackers to cause a denial of service (memory c

CVE-2018-9958 HIGH POC
8.8 May 17

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1

CVE-2017-10952 HIGH POC
8.8 Aug 29

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.2.0.2

CVE-2018-9948 MEDIUM POC
6.5 May 17

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader

CVE-2023-40194 HIGH POC
8.8 Nov 27

An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due

CVE-2023-39542 HIGH POC
8.8 Nov 27

A code execution vulnerability exists in the Javascript saveAs API of Foxit Reader 12.1.3.15356. Rated high severity (CV

CVE-2023-38573 HIGH POC
8.8 Nov 27

A use-after-free vulnerability exists in the way Foxit Reader 12.1.2.15356 handles a signature field. Rated high severit

CVE-2023-35985 HIGH POC
8.8 Nov 27

An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due

CVE-2023-32616 HIGH POC
8.8 Nov 27

A use-after-free vulnerability exists in the way Foxit Reader 12.1.2.15356 handles 3D annotations. Rated high severity (

CVE-2021-21822 HIGH POC
8.8 May 10

A use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 10.1.3.37598. Rat

CVE-2020-13547 HIGH POC
8.8 Dec 22

A type confusion vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 10.1.0.3752

CVE-2020-13570 HIGH POC
8.8 Dec 22

A use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 10.1.0.37527. Rat

Share

CVE-2020-13557 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy