![]() Another Cisco-discovered attack references six separate use-after-free CVEs in the JavaScript engine of Foxit PDF Reader, which can be abused to execute arbitrary code. “When executing embedded JavaScript code, a document can be closed, which frees numerous used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition.”Ĭisco also uncovered four use-after-free flaws that can be leveraged to execute arbitrary code in the JavaScript engine of Foxit PDF Reader, including one (CVE-2018-3964) that leverages the invocation of the ‘getPageNumWords’ method of the active document with a crafted object as an argument. “As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms,” said Cisco in its post. Of the newly-disclosed Cisco flaws, seven are use-after-free vulnerabilities found in the JavaScript engine that can result in remote code execution. ![]() They were all found in the Foxit PDF Reader’s JavaScript engine, a component or interpreter which executes JavaScript code. All 18 Cisco flaws have a CVSSv3 score of 8.0, or rated high in severity. and earlier for Windows.Įighteen vulnerabilities were discovered by Cisco, which posted an analyses of the bugs on Monday in a report. It’s important to note that some bugs addressed overlap, so the actual number of real-world bugs is lower. Impacted are Foxit Reader and Foxit PhantomPDF versions 9. Many of the bugs tackled by the company include a wide array of high severity remote code execution vulnerabilities.įoxit on Friday released fixes for Foxit Reader 9.3 and Foxit PhantomPDF 9.3, which addressed a whopping 124 vulnerabilities. ![]() Foxit Software has patched over 100 vulnerabilities in its popular Foxit PDF Reader.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |