CVE-2020-10892

EPSS 1.62%
Veröffentlicht 22.04.2020 21:15:12
Zuletzt bearbeitet 21.11.2024 04:56:18
Quelle zdi-disclosures@trendmicro.com
Teams Watchlist Login
Unerledigt Login

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.7.0.29478. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the communication API. The issue lies in the handling of the CombineFiles command, which allows an arbitrary file write with attacker controlled data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9830.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Foxitsoftware ≫ Phantompdf Version <= 9.7.1.29511

Microsoft ≫ Windows Version-

Foxitsoftware ≫ Reader Version <= 9.7.1.29511

Microsoft ≫ Windows Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.62%	0.801

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P
zdi-disclosures@trendmicro.com	7.8	1.8	5.9	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://www.foxitsoftware.com/support/security-bulletins.php

Vendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-20-513/

Third Party Advisory

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2020-10892

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-10892

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-10892

EUVD