CVE-2019-14208
https://notcve.org/view.php?id=CVE-2019-14208
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to a NULL pointer dereference and crash when getting a PDF object from a document, or parsing a certain portfolio that contains a null dictionary. Se detectó un problema en PhantomPDF anterior a versión 8.3.10 de Foxit . La aplicación podría estar expuesta a una desreferencia de un puntero NULL y un bloqueo al conseguir un objeto PDF desde un documento, o al analizar un portafolio determinado que contiene un diccionario null. • https://www.foxitsoftware.com/support/security-bulletins.php • CWE-476: NULL Pointer Dereference •
CVE-2019-14207
https://notcve.org/view.php?id=CVE-2019-14207
An issue was discovered in Foxit PhantomPDF before 8.3.11. The application could crash when calling the clone function due to an endless loop resulting from confusing relationships between a child and parent object (caused by an append error). Se detectó un problema en PhantomPDF anterior a versión 8.3.11 de Foxit. La aplicación podría bloquearse al llamar a la función clone debido a un bucle infinito que resulta de las relaciones confusas entre un objeto hijo y padre (causado por un error de adición). • http://www.securityfocus.com/bid/109314 https://www.foxitsoftware.com/support/security-bulletins.php • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2019-13316 – Foxit PhantomPDF Button Calculate Use-After-Free Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-13316
This vulnerability allows remote atackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Calculate actions. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.foxitsoftware.com/support/security-bulletins.php https://www.zerodayinitiative.com/advisories/ZDI-19-633 • CWE-416: Use After Free •
CVE-2019-13317 – Foxit PhantomPDF Button Calculate Use-After-Free Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-13317
This vulnerability allows remote atackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Calculate actions. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.foxitsoftware.com/support/security-bulletins.php https://www.zerodayinitiative.com/advisories/ZDI-19-634 • CWE-416: Use After Free •
CVE-2019-13318 – Foxit Reader Format String Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2019-13318
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of the util.printf Javascript method. The application processes the %p parameter in the format string, allowing heap addresses to be returned to the script. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. • https://www.foxitsoftware.com/support/security-bulletins.php https://www.zerodayinitiative.com/advisories/ZDI-19-635 • CWE-134: Use of Externally-Controlled Format String •