CVE-2020-10892

EPSS 1.62%
Published 22.04.2020 21:15:12
Last modified 21.11.2024 04:56:18
Source zdi-disclosures@trendmicro.com
Teams watchlist Login
Open Login

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.7.0.29478. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the communication API. The issue lies in the handling of the CombineFiles command, which allows an arbitrary file write with attacker controlled data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9830.

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Foxitsoftware ≫ Phantompdf Version <= 9.7.1.29511

Microsoft ≫ Windows Version-

Foxitsoftware ≫ Reader Version <= 9.7.1.29511

Microsoft ≫ Windows Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.62%	0.801

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P
zdi-disclosures@trendmicro.com	7.8	1.8	5.9	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://www.foxitsoftware.com/support/security-bulletins.php

Vendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-20-513/

Third Party Advisory

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2020-10892

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-10892

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-10892

EUVD