#VU12833 Type confusion in Foxit PDF Editor (formerly Foxit PhantomPDF) and Foxit PDF Reader for Windows - CVE-2018-7407


Vulnerability identifier: #VU12833

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-7407

CWE-ID: CWE-843

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Foxit PDF Editor (formerly Foxit PhantomPDF)
Client/Desktop applications / Office applications
Foxit PDF Reader for Windows
Client/Desktop applications / Office applications

Vendor: Foxit Software Inc.

Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion. A remote attacker can execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Foxit PDF Editor (formerly Foxit PhantomPDF): 9.0.1.1049

Foxit PDF Reader for Windows: 9.0.1.1049


External links
https://www.foxitsoftware.com/support/security-bulletins.php


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability