Vulnerabilities > CVE-2018-20309 - Race Condition vulnerability in Foxitsoftware Phantompdf
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a proxyGetAppEdition race condition that can cause a stack-based buffer overflow or an out-of-bounds read.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family Windows NASL id FOXIT_PHANTOM_9_5.NASL description According to its version, the Foxit PhantomPDF application (formally known as Phantom) installed on the remote Windows host is prior to 9.5. It is, therefore affected by multiple vulnerabilities: Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 131077 published 2019-11-15 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131077 title Foxit PhantomPDF < 9.5 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(131077); script_version("1.2"); script_cvs_date("Date: 2019/11/19"); script_cve_id( "CVE-2018-20309", "CVE-2018-20310", "CVE-2018-20311", "CVE-2018-20312", "CVE-2018-20313", "CVE-2018-20314", "CVE-2018-20315", "CVE-2018-20316" ); script_name(english:"Foxit PhantomPDF < 9.5 Multiple Vulnerabilities"); script_set_attribute(attribute:"synopsis", value: "A PDF toolkit installed on the remote Windows host is affected by multiple vulnerabilities"); script_set_attribute(attribute:"description", value: "According to its version, the Foxit PhantomPDF application (formally known as Phantom) installed on the remote Windows host is prior to 9.5. It is, therefore affected by multiple vulnerabilities: Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"solution", value: "Upgrade to Foxit PhantomPDF version 9.5 or later"); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-20309"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/16"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:foxitsoftware:phantom"); script_set_attribute(attribute:"cpe", value:"cpe:/a:foxitsoftware:phantompdf"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("foxit_phantom_installed.nasl"); script_require_keys("installed_sw/FoxitPhantomPDF"); exit(0); } include('vcf.inc'); app = 'FoxitPhantomPDF'; app_info = vcf::get_app_info(app:app, win_local:TRUE); constraints = [ { 'min_version' : '9.0', 'max_version' : '9.4.1.16828', 'fixed_version' : '9.5' } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
NASL family Windows NASL id FOXIT_PHANTOM_9_5_0.NASL description According to its version, the Foxit PhantomPDF application (formally known as Phantom) installed on the remote Windows host is prior to 8.3.10. It is, therefore, affected by multiple vulnerabilities: - A heap-based buffer overflow condition exists in the proxyCPDFAction, proxyCheckLicence, proxyDoAction, proxyGetAppEdition, or proxyPreviewAction due to a stack buffer overflow or out-of-bounds read. An authenticated, local attacker can exploit this, via large integer or long string causing a denial of service condition or the execution of arbitrary code. - A directory traversal vulnerability exists in the cPDF plugin due to unexpected javascript invocation resulting in remote code execution. An unauthenticated, remote attacker can exploit this, by invoking javascript through the console to write local files. (ZDI-CAN-7407) - A integer overflow and crash condition exists in the XFA stuff method due to the lack of proper validation of user-supplied data. An attacker can explit this to disclose information. (ZDI-CAN-7561) - A use-after-free, out-of-bounds read, and crash vulnerability exists when converting HTML files to PDFs. An authenticated, remote attacker can exploit this to disclose information or to execute arbitrary code. (ZDI-CAN-7620/ZDI-CAN-7844/ZDI-CAN-8170) - A out-of-bounds write and crash vulnerability exists. An authenticated, remote attacker can exploit this to execute arbitrary code. (ZDI-CAN-7613/ZDI-CAN-7614/ZDI-CAN-7701/ ZDI-CAN-7972) - A use-after-free or out-of-bounds write and crash vulnerability exists. An authenticated, local attacker can exploit this to execute arbitrary code. (ZDI-CAN-7696/ZDI-CAN-7694) - A use-after-free vulnerability. An authenticated, remote attacker can exploit this to execute arbitrary code. (ZDI-CAN-7696/ZDI-CAN-7694/ZDI-CAN-7777/ZDI-CAN-7874) - A use-after-free, remote code execution, information disclosure vulnerability exists when deleting Field with nested scripts. An authenticated, local attacker can exploit this to execute arbitrary code. (ZDI-CAN-8162/ZDI-CAN-8163/ZDI-CAN-8164/ ZDI-CAN-8165/ZDI-CAN-8229/ZDI-CAN-8230/ZDI-CAN-8231/ZDI-CAN-8272) last seen 2020-06-01 modified 2020-06-02 plugin id 124413 published 2019-04-30 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124413 title Foxit PhantomPDF < 9.5.0 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(124413); script_version("1.2"); script_cvs_date("Date: 2019/10/30 13:24:47"); script_cve_id( "CVE-2018-20309", "CVE-2018-20310", "CVE-2018-20311", "CVE-2018-20312", "CVE-2018-20313", "CVE-2018-20314", "CVE-2018-20315", "CVE-2018-20316" ); script_xref(name:"ZDI", value:"ZDI-CAN-7407"); script_xref(name:"ZDI", value:"ZDI-CAN-7561"); script_xref(name:"ZDI", value:"ZDI-CAN-7613"); script_xref(name:"ZDI", value:"ZDI-CAN-7614"); script_xref(name:"ZDI", value:"ZDI-CAN-7620"); script_xref(name:"ZDI", value:"ZDI-CAN-7694"); script_xref(name:"ZDI", value:"ZDI-CAN-7696"); script_xref(name:"ZDI", value:"ZDI-CAN-7701"); script_xref(name:"ZDI", value:"ZDI-CAN-7769"); script_xref(name:"ZDI", value:"ZDI-CAN-7777"); script_xref(name:"ZDI", value:"ZDI-CAN-7844"); script_xref(name:"ZDI", value:"ZDI-CAN-7874"); script_xref(name:"ZDI", value:"ZDI-CAN-7972"); script_xref(name:"ZDI", value:"ZDI-CAN-8162"); script_xref(name:"ZDI", value:"ZDI-CAN-8163"); script_xref(name:"ZDI", value:"ZDI-CAN-8164"); script_xref(name:"ZDI", value:"ZDI-CAN-8165"); script_xref(name:"ZDI", value:"ZDI-CAN-8170"); script_xref(name:"ZDI", value:"ZDI-CAN-8229"); script_xref(name:"ZDI", value:"ZDI-CAN-8230"); script_xref(name:"ZDI", value:"ZDI-CAN-8231"); script_xref(name:"ZDI", value:"ZDI-CAN-8272"); script_name(english:"Foxit PhantomPDF < 9.5.0 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Foxit PhantomPDF."); script_set_attribute(attribute:"synopsis", value: "A PDF toolkit installed on the remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the Foxit PhantomPDF application (formally known as Phantom) installed on the remote Windows host is prior to 8.3.10. It is, therefore, affected by multiple vulnerabilities: - A heap-based buffer overflow condition exists in the proxyCPDFAction, proxyCheckLicence, proxyDoAction, proxyGetAppEdition, or proxyPreviewAction due to a stack buffer overflow or out-of-bounds read. An authenticated, local attacker can exploit this, via large integer or long string causing a denial of service condition or the execution of arbitrary code. - A directory traversal vulnerability exists in the cPDF plugin due to unexpected javascript invocation resulting in remote code execution. An unauthenticated, remote attacker can exploit this, by invoking javascript through the console to write local files. (ZDI-CAN-7407) - A integer overflow and crash condition exists in the XFA stuff method due to the lack of proper validation of user-supplied data. An attacker can explit this to disclose information. (ZDI-CAN-7561) - A use-after-free, out-of-bounds read, and crash vulnerability exists when converting HTML files to PDFs. An authenticated, remote attacker can exploit this to disclose information or to execute arbitrary code. (ZDI-CAN-7620/ZDI-CAN-7844/ZDI-CAN-8170) - A out-of-bounds write and crash vulnerability exists. An authenticated, remote attacker can exploit this to execute arbitrary code. (ZDI-CAN-7613/ZDI-CAN-7614/ZDI-CAN-7701/ ZDI-CAN-7972) - A use-after-free or out-of-bounds write and crash vulnerability exists. An authenticated, local attacker can exploit this to execute arbitrary code. (ZDI-CAN-7696/ZDI-CAN-7694) - A use-after-free vulnerability. An authenticated, remote attacker can exploit this to execute arbitrary code. (ZDI-CAN-7696/ZDI-CAN-7694/ZDI-CAN-7777/ZDI-CAN-7874) - A use-after-free, remote code execution, information disclosure vulnerability exists when deleting Field with nested scripts. An authenticated, local attacker can exploit this to execute arbitrary code. (ZDI-CAN-8162/ZDI-CAN-8163/ZDI-CAN-8164/ ZDI-CAN-8165/ZDI-CAN-8229/ZDI-CAN-8230/ZDI-CAN-8231/ZDI-CAN-8272) "); script_set_attribute(attribute:"see_also", value:"https://www.foxitsoftware.com/support/security-bulletins.php"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7407/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7561/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7613/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7614/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7620/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7694/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7696/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7701/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7769/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7777/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7844/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7874/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7972/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-8162/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-8163/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-8164/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-8165/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-8170/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-8229/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-8230/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-8231/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-8272/"); script_set_attribute(attribute:"solution", value: "Upgrade to Foxit PhantomPDF version 9.5.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-20316"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/18"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/30"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:foxitsoftware:phantom"); script_set_attribute(attribute:"cpe", value:"cpe:/a:foxitsoftware:phantompdf"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("foxit_phantom_installed.nasl"); script_require_keys("installed_sw/FoxitPhantomPDF"); exit(0); } include('vcf.inc'); app = 'FoxitPhantomPDF'; app_info = vcf::get_app_info(app:app, win_local:TRUE); constraints = [{ 'min_version' : '9.0', 'max_version' : '9.4.1.16828', 'fixed_version' : '9.5.0' }]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
NASL family Windows NASL id FOXIT_READER_9_5_0.NASL description According to its version, the Foxit Reader application (formally known as Phantom) installed on the remote Windows host is prior to 8.3.10. It is, therefore, affected by multiple vulnerabilities: - A heap-based buffer overflow condition exists in the proxyCPDFAction, proxyCheckLicence, proxyDoAction, proxyGetAppEdition, or proxyPreviewAction due to a stack buffer overflow or out-of-bounds read. An authenticated, local attacker can exploit this, via large integer or long string causing a denial of service condition or the execution of arbitrary code. - A directory traversal vulnerability exists in the cPDF plugin due to unexpected javascript invocation resulting in remote code execution. An unauthenticated, remote attacker can exploit this, by invoking javascript through the console to write local files. (ZDI-CAN-7407) - A integer overflow and crash condition exists in the XFA stuff method due to the lack of proper validation of user-supplied data. An attacker can explit this to disclose information. (ZDI-CAN-7561) - A use-after-free, out-of-bounds read, and crash vulnerability exists when converting HTML files to PDFs. An authenticated, remote attacker can exploit this to disclose information or to execute arbitrary code. (ZDI-CAN-7620/ZDI-CAN-7844/ZDI-CAN-8170) - A out-of-bounds write and crash vulnerability exists. An authenticated, remote attacker can exploit this to execute arbitrary code. (ZDI-CAN-7613/ZDI-CAN-7614/ZDI-CAN-7701/ ZDI-CAN-7972) - A use-after-free or out-of-bounds write and crash vulnerability exists. An authenticated, local attacker can exploit this to execute arbitrary code. (ZDI-CAN-7696/ZDI-CAN-7694) - A use-after-free vulnerability. An authenticated, remote attacker can exploit this to execute arbitrary code. (ZDI-CAN-7696/ZDI-CAN-7694/ZDI-CAN-7777/ZDI-CAN-7874) - A use-after-free, remote code execution, information disclosure vulnerability exists when deleting Field with nested scripts. An authenticated, local attacker can exploit this to execute arbitrary code. (ZDI-CAN-8162/ZDI-CAN-8163/ZDI-CAN-8164/ ZDI-CAN-8165/ZDI-CAN-8229/ZDI-CAN-8230/ZDI-CAN-8231/ZDI-CAN-8272) last seen 2020-06-01 modified 2020-06-02 plugin id 125153 published 2019-05-15 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125153 title Foxit Reader < 9.5.0 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(125153); script_version("1.4"); script_cvs_date("Date: 2019/10/30 13:24:47"); script_cve_id( "CVE-2018-20309", "CVE-2018-20310", "CVE-2018-20311", "CVE-2018-20312", "CVE-2018-20313", "CVE-2018-20314", "CVE-2018-20315", "CVE-2018-20316", "CVE-2019-6754", "CVE-2019-6755", "CVE-2019-6756", "CVE-2019-6757", "CVE-2019-6758", "CVE-2019-6759", "CVE-2019-6760", "CVE-2019-6761", "CVE-2019-6762", "CVE-2019-6763", "CVE-2019-6764", "CVE-2019-6765", "CVE-2019-6766", "CVE-2019-6767", "CVE-2019-6768", "CVE-2019-6769", "CVE-2019-6770", "CVE-2019-6771", "CVE-2019-6772", "CVE-2019-6773" ); script_xref(name:"ZDI", value:"ZDI-19-428"); script_xref(name:"ZDI", value:"ZDI-19-429"); script_xref(name:"ZDI", value:"ZDI-19-430"); script_xref(name:"ZDI", value:"ZDI-19-431"); script_xref(name:"ZDI", value:"ZDI-19-432"); script_xref(name:"ZDI", value:"ZDI-19-433"); script_xref(name:"ZDI", value:"ZDI-19-434"); script_xref(name:"ZDI", value:"ZDI-19-435"); script_xref(name:"ZDI", value:"ZDI-19-436"); script_xref(name:"ZDI", value:"ZDI-19-437"); script_xref(name:"ZDI", value:"ZDI-19-438"); script_xref(name:"ZDI", value:"ZDI-19-439"); script_xref(name:"ZDI", value:"ZDI-19-440"); script_xref(name:"ZDI", value:"ZDI-19-441"); script_xref(name:"ZDI", value:"ZDI-19-442"); script_xref(name:"ZDI", value:"ZDI-19-443"); script_xref(name:"ZDI", value:"ZDI-19-444"); script_xref(name:"ZDI", value:"ZDI-19-445"); script_xref(name:"ZDI", value:"ZDI-19-446"); script_xref(name:"ZDI", value:"ZDI-19-447"); script_xref(name:"ZDI", value:"ZDI-CAN-7407"); script_xref(name:"ZDI", value:"ZDI-CAN-7561"); script_xref(name:"ZDI", value:"ZDI-CAN-7613"); script_xref(name:"ZDI", value:"ZDI-CAN-7614"); script_xref(name:"ZDI", value:"ZDI-CAN-7620"); script_xref(name:"ZDI", value:"ZDI-CAN-7694"); script_xref(name:"ZDI", value:"ZDI-CAN-7696"); script_xref(name:"ZDI", value:"ZDI-CAN-7701"); script_xref(name:"ZDI", value:"ZDI-CAN-7769"); script_xref(name:"ZDI", value:"ZDI-CAN-7777"); script_xref(name:"ZDI", value:"ZDI-CAN-7844"); script_xref(name:"ZDI", value:"ZDI-CAN-7874"); script_xref(name:"ZDI", value:"ZDI-CAN-7972"); script_xref(name:"ZDI", value:"ZDI-CAN-8162"); script_xref(name:"ZDI", value:"ZDI-CAN-8163"); script_xref(name:"ZDI", value:"ZDI-CAN-8164"); script_xref(name:"ZDI", value:"ZDI-CAN-8165"); script_xref(name:"ZDI", value:"ZDI-CAN-8170"); script_xref(name:"ZDI", value:"ZDI-CAN-8229"); script_xref(name:"ZDI", value:"ZDI-CAN-8230"); script_xref(name:"ZDI", value:"ZDI-CAN-8231"); script_xref(name:"ZDI", value:"ZDI-CAN-8272"); script_name(english:"Foxit Reader < 9.5.0 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Foxit Reader."); script_set_attribute(attribute:"synopsis", value: "A PDF toolkit installed on the remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the Foxit Reader application (formally known as Phantom) installed on the remote Windows host is prior to 8.3.10. It is, therefore, affected by multiple vulnerabilities: - A heap-based buffer overflow condition exists in the proxyCPDFAction, proxyCheckLicence, proxyDoAction, proxyGetAppEdition, or proxyPreviewAction due to a stack buffer overflow or out-of-bounds read. An authenticated, local attacker can exploit this, via large integer or long string causing a denial of service condition or the execution of arbitrary code. - A directory traversal vulnerability exists in the cPDF plugin due to unexpected javascript invocation resulting in remote code execution. An unauthenticated, remote attacker can exploit this, by invoking javascript through the console to write local files. (ZDI-CAN-7407) - A integer overflow and crash condition exists in the XFA stuff method due to the lack of proper validation of user-supplied data. An attacker can explit this to disclose information. (ZDI-CAN-7561) - A use-after-free, out-of-bounds read, and crash vulnerability exists when converting HTML files to PDFs. An authenticated, remote attacker can exploit this to disclose information or to execute arbitrary code. (ZDI-CAN-7620/ZDI-CAN-7844/ZDI-CAN-8170) - A out-of-bounds write and crash vulnerability exists. An authenticated, remote attacker can exploit this to execute arbitrary code. (ZDI-CAN-7613/ZDI-CAN-7614/ZDI-CAN-7701/ ZDI-CAN-7972) - A use-after-free or out-of-bounds write and crash vulnerability exists. An authenticated, local attacker can exploit this to execute arbitrary code. (ZDI-CAN-7696/ZDI-CAN-7694) - A use-after-free vulnerability. An authenticated, remote attacker can exploit this to execute arbitrary code. (ZDI-CAN-7696/ZDI-CAN-7694/ZDI-CAN-7777/ZDI-CAN-7874) - A use-after-free, remote code execution, information disclosure vulnerability exists when deleting Field with nested scripts. An authenticated, local attacker can exploit this to execute arbitrary code. (ZDI-CAN-8162/ZDI-CAN-8163/ZDI-CAN-8164/ ZDI-CAN-8165/ZDI-CAN-8229/ZDI-CAN-8230/ZDI-CAN-8231/ZDI-CAN-8272)"); script_set_attribute(attribute:"see_also", value:"https://www.foxitsoftware.com/support/security-bulletins.php"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-428/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-429/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-430/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-431/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-432/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-433/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-434/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-435/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-436/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-437/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-438/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-439/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-440/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-441/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-442/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-443/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-444/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-445/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-446/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-19-447/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7407/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7561/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7613/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7614/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7620/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7694/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7696/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7701/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7769/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7777/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7844/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7874/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-7972/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-8162/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-8163/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-8164/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-8165/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-8170/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-8229/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-8230/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-8231/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-CAN-8272/"); script_set_attribute(attribute:"solution", value: "Upgrade to Foxit Reader version 9.5.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-6769"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/18"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:foxitsoftware:foxit_reader"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("foxit_reader_installed.nasl"); script_require_keys("installed_sw/Foxit Reader"); exit(0); } include('vcf.inc'); app = 'Foxit Reader'; app_info = vcf::get_app_info(app:app, win_local:TRUE); constraints = [ { 'min_version' : '9.0', 'max_version' : '9.4.1.16828', 'fixed_version' : '9.5.0'} ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
NASL family Windows NASL id FOXIT_READER_9_5.NASL description According to its version, the Foxit Reader application installed on the remote Windows host is prior to 9.5. It is, therefore affected by multiple vulnerabilities: Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 131078 published 2019-11-15 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131078 title Foxit Reader < 9.5 Multiple Vulnerabilities NASL family Windows NASL id FOXIT_PHANTOM_8_3_10.NASL description According to its version, the Foxit PhantomPDF application (formally known as Phantom) installed on the remote Windows host is prior to 8.3.10. It is, therefore, affected by multiple vulnerabilities: - A heap-based buffer overflow condition exists in the proxyCPDFAction, proxyCheckLicence, proxyDoAction, proxyGetAppEdition, or proxyPreviewAction due to a stack buffer overflow or out-of-bounds read. An authenticated, local attacker can exploit this, via large integer or long string causing a denial of service condition or the execution of arbitrary code. - A directory traversal vulnerability exists in the cPDF plugin due to unexpected javascript invocation resulting in remote code execution. An unauthenticated, remote attacker can exploit this, by invoking javascript through the console to write local files. (ZDI-CAN-7407) - A integer overflow and crash condition exists in the XFA stuff method due to the lack of proper validation of user-supplied data. An attacker can explit this to disclose information. (ZDI-CAN-7561) - A use-after-free, out-of-bounds read, and crash vulnerability exists when converting HTML files to PDFs. An authenticated, remote attacker can exploit this to disclose information or to execute arbitrary code. (ZDI-CAN-7620/ZDI-CAN-7844/ZDI-CAN-8170) - A out-of-bounds write and crash vulnerability exists. An authenticated, remote attacker can exploit this to execute arbitrary code. (ZDI-CAN-7613/ZDI-CAN-7614/ZDI-CAN-7701/ ZDI-CAN-7972) - A use-after-free or out-of-bounds write and crash vulnerability exists. An authenticated, local attacker can exploit this to execute arbitrary code. (ZDI-CAN-7696/ZDI-CAN-7694) - A use-after-free vulnerability. An authenticated, remote attacker can exploit this to execute arbitrary code. (ZDI-CAN-7696/ZDI-CAN-7694/ZDI-CAN-7777/ZDI-CAN-7874) - A use-after-free, remote code execution, information disclosure vulnerability exists when deleting Field with nested scripts. An authenticated, local attacker can exploit this to execute arbitrary code. (ZDI-CAN-8162/ZDI-CAN-8163/ZDI-CAN-8164/ ZDI-CAN-8165/ZDI-CAN-8229/ZDI-CAN-8230/ZDI-CAN-8231/ZDI-CAN-8272) last seen 2020-06-01 modified 2020-06-02 plugin id 124412 published 2019-04-30 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124412 title Foxit PhantomPDF < 8.3.10 Multiple Vulnerabilities