CVE-2018-17657 – Foxit Reader XFA host gotoURL Use-After-Free Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-17657
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the gotoURL method of a host object. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.foxitsoftware.com/support/security-bulletins.php https://www.zerodayinitiative.com/advisories/ZDI-18-1203 • CWE-416: Use After Free •
CVE-2018-17686 – Foxit Reader ConvertToPDF BMP File Parsing Out-of-Bounds Read Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2018-17686
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of BMP images. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.foxitsoftware.com/support/security-bulletins.php https://www.zerodayinitiative.com/advisories/ZDI-18-1185 • CWE-125: Out-of-bounds Read •
CVE-2018-17697 – Foxit Reader Collab templates Use-After-Free Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-17697
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of templates. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.foxitsoftware.com/support/security-bulletins.php https://www.zerodayinitiative.com/advisories/ZDI-18-1215 • CWE-416: Use After Free •
CVE-2018-17636 – Foxit Reader XFA aliasNode Use-After-Free Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-17636
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the id property of a aliasNode. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.foxitsoftware.com/support/security-bulletins.php https://www.zerodayinitiative.com/advisories/ZDI-18-1209 • CWE-416: Use After Free •
CVE-2018-17638 – Foxit Reader XFA getAttribute Use-After-Free Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-17638
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the getAttribute method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.foxitsoftware.com/support/security-bulletins.php https://www.zerodayinitiative.com/advisories/ZDI-18-1191 • CWE-416: Use After Free •