SB2024121831 - Multiple vulnerabilities in Foxit PDF Reader and Editor for Mac

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024121831

SB2024121831 - Multiple vulnerabilities in Foxit PDF Reader and Editor for Mac

Published: December 18, 2024

Security Bulletin ID SB2024121831
Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 33% Medium 33% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Improper authorization in handler for custom URL scheme (CVE-ID: N/A)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to an error when handling XFA documents. A remote attacker can trick the victim into opening a specially crafted PDF document and compromise the affected system.


2) Improper verification of cryptographic signature (CVE-ID: N/A)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to the application improperly ignores the changes to the “/NeedsRendering” key or “TextField” field when verifying the XFA documents. A remote attacker perform spoofing attack and make users believe that the document is properly signed.


3) Information disclosure (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the application fails to provide a reasonable prompt for user confirmation when executing the “app.openDoc”/“LaunchAction” functions, or ignores the encryption elements and transmits form content in clear text without a proper prompt for users. A remote attacker can trick the victim into opening a specially crafted XFA file and gain access to sensitive information.


Remediation

Install update from vendor's website.

References