CVE-2022-37377

Published: Mar 29, 2023Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Editor 11.1.1.53537;. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within JavaScript optimizations. The issue results from an improper optimization, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-16733.

Affected (4)

Products: Foxit: Pdf Editor, Pdf Reader

2 products

Configuration A

4 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Foxit Pdf Editor	Before 10.1.9
Foxit Pdf Editor	From 11.0.0 to 11.2.3
Foxit Pdf Editor	Version 12.0.0.12394
Foxit Pdf Reader	Before 12.0.1

Running on/with	Platform Versions
Microsoft Windows	All versions

Related CWEs

Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

References (4)

https://www.foxit.com/support/security-bulletins.html

Source: zdi-disclosures@trendmicro.com

Vendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-22-1049/

Source: zdi-disclosures@trendmicro.com

Third Party AdvisoryVDB Entry

https://www.foxit.com/support/security-bulletins.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-22-1049/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

Timeline

No history available yet.