SB2020102937 - Multiple vulnerabilities in Foxit Studio Photo
Published: October 29, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 22 secuirty vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2020-17418)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can create a specially crafted EZIX file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
2) Out-of-bounds write (CVE-ID: CVE-2020-27857)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can create a specially crafted NEF file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
3) Out-of-bounds read (CVE-ID: CVE-2020-27856)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted CR2 file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
4) Out-of-bounds read (CVE-ID: CVE-2020-27855)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted SR2 file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
5) Out-of-bounds read (CVE-ID: CVE-2020-17436)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted CMP file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
6) Out-of-bounds read (CVE-ID: CVE-2020-17435)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted CR2 file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
7) Out-of-bounds read (CVE-ID: CVE-2020-17434)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted ARW file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
8) Out-of-bounds read (CVE-ID: CVE-2020-17433)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted CMP file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
9) Out-of-bounds read (CVE-ID: CVE-2020-17432)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted CR2 file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
10) Out-of-bounds write (CVE-ID: CVE-2020-17431)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can create a specially crafted CR2 file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
11) Out-of-bounds write (CVE-ID: CVE-2020-17430)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can create a specially crafted CR2 file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
12) Out-of-bounds read (CVE-ID: CVE-2020-17429)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted CMP file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
13) Out-of-bounds read (CVE-ID: CVE-2020-17428)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted CMP file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
14) Out-of-bounds read (CVE-ID: CVE-2020-17427)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted NEF file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
15) Out-of-bounds write (CVE-ID: CVE-2020-17426)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can create a specially crafted CR2 file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
16) Out-of-bounds write (CVE-ID: CVE-2020-17425)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can create a specially crafted EPS file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
17) Out-of-bounds write (CVE-ID: CVE-2020-17424)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can create a specially crafted EZI file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
18) Heap-based buffer overflow (CVE-ID: CVE-2020-17423)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trick a victim to open a specially crafted ARW file, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
19) Out-of-bounds read (CVE-ID: CVE-2020-17422)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted EPS file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
20) Out-of-bounds write (CVE-ID: CVE-2020-17421)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can create a specially crafted NEF file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
21) Out-of-bounds read (CVE-ID: CVE-2020-17420)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted NEF file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
22) Out-of-bounds write (CVE-ID: CVE-2020-17419)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can create a specially crafted NEF file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
Remediation
Install update from vendor's website.
References
- https://www.zerodayinitiative.com/advisories/ZDI-20-1329/
- https://www.foxitsoftware.com/support/security-bulletins.html
- https://www.zerodayinitiative.com/advisories/ZDI-20-1350/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1349/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1348/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1347/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1346/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1345/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1344/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1343/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1342/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1341/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1340/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1339/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1338/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1337/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1336/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1335/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1334/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1333/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1332/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1331/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1330/