#VU9875 Information disclosure in MobilePDF for Android

Cybersecurity Help s.r.o.

Published: 2018-01-08

Vulnerability identifier: #VU9875

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-200

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
MobilePDF for Android
Mobile applications / Apps for mobile phones

Vendor: Foxit Software Inc.

Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to exposed interface of the Wi-Fi service and insufficient validation of URI + escape character during Wi-Fi transfer. A remote attacker can read contents of arbitrary file on the device.

Mitigation
Update to version 6.1.

Vulnerable software versions

MobilePDF for Android: 6.0 - 6.0.2

External links
https://www.foxitsoftware.com/support/security-bulletins.php

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Foxit MobilePDF for Android 6.1