CVE-2019-13334 – Foxit PhantomPDF Dwg2Pdf DXF File Parsing Memory Corruption Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-13334
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of DXF files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.zerodayinitiative.com/advisories/ZDI-19-859 • CWE-787: Out-of-bounds Write CWE-822: Untrusted Pointer Dereference •
CVE-2019-17136 – Foxit PhantomPDF Dwg2Pdf DXF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-17136
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of DXF files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.zerodayinitiative.com/advisories/ZDI-19-861 • CWE-125: Out-of-bounds Read •
CVE-2019-5031
https://notcve.org/view.php?id=CVE-2019-5031
An exploitable memory corruption vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader, version 9.4.1.16828. A specially crafted PDF document can trigger an out-of-memory condition which isn't handled properly, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability. Se presenta una vulnerabilidad de corrupción de memoria explotable en el motor de JavaScript de Foxit PDF Reader del Software Foxit , versión 9.4.1.16828. • https://talosintelligence.com/vulnerability_reports/TALOS-2019-0793 • CWE-703: Improper Check or Handling of Exceptional Conditions CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2019-13329 – Foxit Reader TIF File ConvertToPDF Type Confusion Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-13329
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of TIF files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.foxitsoftware.com/support/security-bulletins.php https://www.zerodayinitiative.com/advisories/ZDI-19-852 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVE-2019-13328 – Foxit Reader AcroForm Field Use-After-Free Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-13328
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of fields within Acroform objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.foxitsoftware.com/support/security-bulletins.php https://www.zerodayinitiative.com/advisories/ZDI-19-851 • CWE-416: Use After Free •