CVE-2018-7407

Published: May 24, 2018Modified: Nov 21, 2024

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

An issue was discovered in Foxit Reader before 9.1 and PhantomPDF before 9.1. This vulnerability allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists when rendering U3D images inside of pdf files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this to execute code in the context of the current process.

Affected (2)

Products: Foxitsoftware: Phantompdf, Reader

2 products

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Foxitsoftware Phantompdf	Up to 9.0.1.1049
Foxitsoftware Reader	Up to 9.0.1.1049

Related CWEs

Incorrect Type Conversion or Cast

The product does not correctly convert an object, resource, or structure from one type to a different type.

References (6)

http://www.securityfocus.com/bid/104300

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://srcincite.io/advisories/src-2018-0018/

Source: cve@mitre.org

Third Party Advisory

https://www.foxitsoftware.com/support/security-bulletins.php

Source: cve@mitre.org

Vendor Advisory

http://www.securityfocus.com/bid/104300

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://srcincite.io/advisories/src-2018-0018/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.foxitsoftware.com/support/security-bulletins.php

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.