Vulnerabilities Threats

English Russian Japanese LatAm Türkiye Brasil France Český Deutschland

KLA11162
Multiple vulnerabilities in Foxit Reader

Updated: 06/03/2020
Detect date
?
 11/01/2017
Severity
?
 Critical
Description

Multiple serious vulnerabilities have been found in Foxit Reader. Malicious users can exploit these vulnerabilities to obtain sensitive information and execute arbitrary code.

Below is a complete list of vulnerabilities:

  1. An out-of-bounds read vulnerability in the tile index member of SOT markers can be exploited remotely via specially designed website or file to obtain sensitive information;
  2. An improper validation vulnerability in the setAction method of Link objects can be exploited remotely via specially designed website or file to execute arbitrary code;
  3. An improper validation vulnerability in the arrowEnd attribute of Annotation objects can be exploited remotely via specially designed website or file to execute arbitrary code;
  4. An out-of-bounds read vulnerability in the parsing of JPEG2000 images embedded in PDF files can be exploited remotely via specially designed website or file to obtain sensitive information;
  5. An out-of-bounds read vulnerability in the channel number member of the cdef box files can be exploited remotely via specially designed website or file to obtain sensitive information;
  6. An out-of-bounds read vulnerability in the channel number member of the cdef box files can be exploited remotely via specially designed website or file to obtain sensitive information;
  7. An out-of-bounds read vulnerability in the tile index of the SOT marker in JPEG2000 images can be exploited remotely via specially designed website or file to obtain sensitive information;
  8. An out-of-bounds read vulnerability in the parsing of the xTsiz member of SIZ markers can be exploited remotely via specially designed website or file to obtain sensitive information;
  9. An out-of-bounds read vulnerability in the parsing of the xOsiz member of SIZ markers can be exploited remotely via specially designed website or file to obtain sensitive information;
  10. A type confusion vulnerability in the insert method of XFAScriptObject objects can be exploited remotely via specially designed website or file to execute arbitrary code;
  11. A type confusion vulnerability in the remove method of XFAScriptObject objects can be exploited remotely via specially designed website or file to execute arbitrary code;
  12. A type confusion vulnerability in the formNodes method of XFA Node objects can be exploited remotely via specially designed website or file to execute arbitrary code;
  13. A type confusion vulnerability in the append method of XFA Node objects can be exploited remotely via specially designed website or file to execute arbitrary code;
  14. A type confusion vulnerability in the w method of XFA Layout objects can be exploited remotely via specially designed website or file to execute arbitrary code;
  15. A type confusion vulnerability in the openList method of XFAScriptObject objects can be exploited remotely via specially designed website or file to execute arbitrary code;
  16. An improper validation vulnerability in the setFocus method of XFAScriptObject objects can be exploited remotely via specially designed website or file to execute arbitrary code;
  17. An improper validation vulnerability in the author attribute of Circle Annotation objects can be exploited remotely via specially designed website or file to execute arbitrary code;
  18. An improper validation vulnerability in the style attribute of Text Annotation objects can be exploited remotely via specially designed website or file to execute arbitrary code;
  19. An improper validation vulnerability in the style attribute of FileAttachment annotation objects can be exploited remotely via specially designed website or file to execute arbitrary code;
  20. A type confusion vulnerability in the page method of XFA Layout objects can be exploited remotely via specially designed website or file to execute arbitrary code;
  21. An improper validation vulnerability in the modDate attribute of Annotation objects can be exploited remotely via specially designed website or file to execute arbitrary code;
  22. A type confusion vulnerability in the pageSpan method of XFA Layout objects can be exploited remotely via specially designed website or file to execute arbitrary code;
  23. A type confusion vulnerability in the handling of references to the app object from FormCalc can be exploited remotely via specially designed website or file to execute arbitrary code;
  24. A type confusion vulnerability in FormCalc’s closeDoc method can be exploited remotely via specially designed website or file to execute arbitrary code;
  25. An out-of-bounds read vulnerability in the parsing of LZWDecode filters can be exploited remotely via specially designed website or file to obtain sensitive information;
  26. An out-of-bounds read vulnerability in the parsing of Image filters can be exploited remotely via specially designed website or file to obtain sensitive information;
  27. An improper validation vulnerability in the XFA’s bind element can be exploited remotely via specially designed website or file to execute arbitrary code;
  28. An improper validation vulnerability in XFA’s field element can be exploited remotely via specially designed website or file to execute arbitrary code;
  29. An improper validation vulnerability in the alignment attribute of Field objects can be exploited remotely via specially designed website or file to execute arbitrary code;
  30. A type confusion vulnerability in the picture elements within XFA forms can be exploited remotely via specially designed website or file to execute arbitrary code;
  31. An out-of-bounds read vulnerability in ImageField node of XFA forms can be exploited remotely via specially designed website or file to obtain sensitive information;
  32. An improper validation vulnerability in the author attribute of the Document object can be exploited remotely via specially designed website or file to execute arbitrary code;
  33. A type confussion vulnerability in the clearItems XFA method can be exploited remotely via specially designed website or file to execute arbitrary code;
  34. An improper validation vulnerability in the datasets element of XFA forms object can be exploited remotely via specially designed website or file to execute arbitrary code;
  35. An out-of-bounds read vulnerability in util.printf can be exploited remotely via specially designed website or file to obtain sensitive information;
  36. An improper validation vulnerability in the app.response method can be exploited remotely via specially designed website or file to execute arbitrary code;
  37. An improper validation vulnerability in the addAnnot method can be exploited remotely via specially designed website or file to execute arbitrary code;
  38. An improper validation vulnerability in the removeField method can be exploited remotely via specially designed website or file to execute arbitrary code;
  39. An out-of-bounds read vulnerability in the parsing of SOT markers can be exploited remotely via specially designed website or file to obtain sensitive information;
  40. An out-of-bounds read vulnerability in the parsing of the yTsiz member of SIZ markers can be exploited remotely via specially designed website or file to obtain sensitive information;
Affected products

Foxit Reader earlier than 9.0.0.29935
Foxit PhantomPDF earlier than 9.0.0.29935
Solution

Update to latest version
Download Foxit Reader
Download Foxit PhantomPDF
Original advisories

Security bulletins
Impacts
?
ACE 
[?]

OSI 
[?]
Related products
 Foxit Reader
Foxit Phantom PDF
CVE-IDS
?
CVE-2017-148346.8High
CVE-2017-148356.8High
CVE-2017-148366.8High
CVE-2017-148376.8High
CVE-2017-165716.8High
CVE-2017-165726.8High
CVE-2017-165734.3Warning
CVE-2017-165744.3Warning
CVE-2017-165756.8High
CVE-2017-165766.8High
CVE-2017-165776.8High
CVE-2017-165786.8High
CVE-2017-165794.3Warning
CVE-2017-165804.3Warning
CVE-2017-165816.8High
CVE-2017-165826.8High
CVE-2017-165836.8High
CVE-2017-165844.3Warning
CVE-2017-165856.8High
CVE-2017-165866.8High
CVE-2017-165876.8High
CVE-2017-165884.3Warning
CVE-2017-165894.3Warning
CVE-2017-109564.3Warning
CVE-2017-109576.8High
CVE-2017-109586.8High
CVE-2017-109596.8High
CVE-2017-148184.3Warning
CVE-2017-148194.3Warning
CVE-2017-148204.3Warning
CVE-2017-148214.3Warning
CVE-2017-148224.3Warning
CVE-2017-148236.8High
CVE-2017-148246.8High
CVE-2017-148256.8High
CVE-2017-148266.8High
CVE-2017-148276.8High
CVE-2017-148286.8High
CVE-2017-148296.8High
CVE-2017-148306.8High
CVE-2017-148316.8High
CVE-2017-148326.8High
CVE-2017-148336.8High
Find out the statistics of the vulnerabilities spreading in your region
© 2023 AO Kaspersky Lab. All Rights Reserved.
Privacy Policy Cookies

Up