5.5
CVE-2019-13318
- EPSS 0.91%
- Veröffentlicht 04.10.2019 18:15:14
- Zuletzt bearbeitet 21.11.2024 04:24:42
- Quelle zdi-disclosures@trendmicro.com
- Teams Watchlist Login
- Unerledigt Login
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of the util.printf Javascript method. The application processes the %p parameter in the format string, allowing heap addresses to be returned to the script. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-8544.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Foxitsoftware ≫ Reader Version <= 9.5.0.20723
Foxitsoftware ≫ Phantompdf Version <= 8.3.10.42705
Foxitsoftware ≫ Phantompdf Version >= 9.0 <= 9.5.0.20723
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.91% | 0.748 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.5 | 1.8 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:P/I:N/A:N
|
| zdi-disclosures@trendmicro.com | 5.5 | 1.8 | 3.6 |
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
|
CWE-134 Use of Externally-Controlled Format String
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.