Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-17420

Summary
Assigner-zdi
Assigner Org ID-99f1926a-a320-47d8-bbb5-42feb611262e
Published At-09 Feb, 2021 | 15:45
Updated At-04 Aug, 2024 | 13:53
Rejected At-
Credits

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of NEF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-11193.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:zdi
Assigner Org ID:99f1926a-a320-47d8-bbb5-42feb611262e
Published At:09 Feb, 2021 | 15:45
Updated At:04 Aug, 2024 | 13:53
Rejected At:
▼CVE Numbering Authority (CNA)

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of NEF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-11193.

Affected Products
Vendor
Foxit Software IncorporatedFoxit
Product
Studio Photo
Versions
Affected
  • 3.6.6.922
Problem Types
TypeCWE IDDescription
CWECWE-125CWE-125: Out-of-bounds Read
Type: CWE
CWE ID: CWE-125
Description: CWE-125: Out-of-bounds Read
Metrics
VersionBase scoreBase severityVector
3.03.3LOW
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Version: 3.0
Base score: 3.3
Base severity: LOW
Vector:
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Mat Powell of Trend Micro Zero Day Initiative
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.foxitsoftware.com/support/security-bulletins.html
x_refsource_MISC
https://www.zerodayinitiative.com/advisories/ZDI-20-1331/
x_refsource_MISC
Hyperlink: https://www.foxitsoftware.com/support/security-bulletins.html
Resource:
x_refsource_MISC
Hyperlink: https://www.zerodayinitiative.com/advisories/ZDI-20-1331/
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.foxitsoftware.com/support/security-bulletins.html
x_refsource_MISC
x_transferred
https://www.zerodayinitiative.com/advisories/ZDI-20-1331/
x_refsource_MISC
x_transferred
Hyperlink: https://www.foxitsoftware.com/support/security-bulletins.html
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://www.zerodayinitiative.com/advisories/ZDI-20-1331/
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:zdi-disclosures@trendmicro.com
Published At:09 Feb, 2021 | 18:15
Updated At:11 Feb, 2021 | 14:21

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of NEF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-11193.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.13.3LOW
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Secondary3.03.3LOW
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:N
Type: Primary
Version: 3.1
Base score: 3.3
Base severity: LOW
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.0
Base score: 3.3
Base severity: LOW
Vector:
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Type: Primary
Version: 2.0
Base score: 4.3
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:P/I:N/A:N
CPE Matches
Foxit Software Incorporated
foxitsoftware
>>foxit_studio_photo>>3.6.6.922
cpe:2.3:a:foxitsoftware:foxit_studio_photo:3.6.6.922:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-125Primarynvd@nist.gov
CWE-125Secondaryzdi-disclosures@trendmicro.com
CWE ID: CWE-125
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-125
Type: Secondary
Source: zdi-disclosures@trendmicro.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.foxitsoftware.com/support/security-bulletins.htmlzdi-disclosures@trendmicro.com
Not Applicable
https://www.zerodayinitiative.com/advisories/ZDI-20-1331/zdi-disclosures@trendmicro.com
Third Party Advisory
VDB Entry
Hyperlink: https://www.foxitsoftware.com/support/security-bulletins.html
Source: zdi-disclosures@trendmicro.com
Resource:
Not Applicable
Hyperlink: https://www.zerodayinitiative.com/advisories/ZDI-20-1331/
Source: zdi-disclosures@trendmicro.com
Resource:
Third Party Advisory
VDB Entry

Change History

0
Information is not available yet

Similar CVEs

1070Records found
CVE-2022-37379
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-3.3||LOW
EPSS-0.86% / 74.20%
||
7 Day CHG~0.00%
Published-29 Mar, 2023 | 00:00
Updated-14 Feb, 2025 | 20:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader 11.2.1.53537. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the AFSpecial_KeystrokeEx method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-17168.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-pdf_editorwindowspdf_readerPDF Reader
CWE ID-CWE-416
Use After Free
CVE-2023-38113
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-3.3||LOW
EPSS-0.36% / 57.67%
||
7 Day CHG~0.00%
Published-03 May, 2024 | 01:59
Updated-12 Aug, 2025 | 18:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foxit PDF Reader Annotation Use-After-Free Information Disclosure Vulnerability

Foxit PDF Reader Annotation Use-After-Free Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-21083.

Action-Not Available
Vendor-Apple Inc.Foxit Software IncorporatedMicrosoft Corporation
Product-pdf_readermacospdf_editorwindowsPDF Readerpdf_reader
CWE ID-CWE-416
Use After Free
CVE-2019-17143
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-3.3||LOW
EPSS-0.42% / 61.32%
||
7 Day CHG~0.00%
Published-25 Oct, 2019 | 18:14
Updated-05 Aug, 2024 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PhantomPDF 9.6.0.25114. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-9273.

Action-Not Available
Vendor-Foxit Software Incorporated
Product-phantompdfPhantomPDF
CWE ID-CWE-416
Use After Free
CVE-2024-9251
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-3.3||LOW
EPSS-0.07% / 20.71%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 21:19
Updated-29 Nov, 2024 | 18:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foxit PDF Reader Annotation Use-After-Free Information Disclosure Vulnerability

Foxit PDF Reader Annotation Use-After-Free Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-24490.

Action-Not Available
Vendor-Foxit Software Incorporated
Product-pdf_editorpdf_readerPDF Reader
CWE ID-CWE-416
Use After Free
CVE-2019-13318
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-5.5||MEDIUM
EPSS-0.91% / 74.89%
||
7 Day CHG~0.00%
Published-04 Oct, 2019 | 17:37
Updated-04 Aug, 2024 | 23:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of the util.printf Javascript method. The application processes the %p parameter in the format string, allowing heap addresses to be returned to the script. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-8544.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-phantompdfreaderwindowsReader
CWE ID-CWE-134
Use of Externally-Controlled Format String
CVE-2018-9948
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-6.5||MEDIUM
EPSS-87.52% / 99.42%
||
7 Day CHG~0.00%
Published-17 May, 2018 | 15:00
Updated-05 Aug, 2024 | 07:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of typed arrays. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5380.

Action-Not Available
Vendor-Foxit Software Incorporated
Product-phantompdffoxit_readerFoxit Reader
CWE ID-CWE-824
Access of Uninitialized Pointer
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2018-9946
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 42.32%
||
7 Day CHG~0.00%
Published-17 May, 2018 | 15:00
Updated-05 Aug, 2024 | 07:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the setTimeOut method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5471.

Action-Not Available
Vendor-Foxit Software Incorporated
Product-phantompdffoxit_readerFoxit Reader
CWE ID-CWE-416
Use After Free
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-9252
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-3.3||LOW
EPSS-0.07% / 20.71%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 21:19
Updated-29 Nov, 2024 | 18:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foxit PDF Reader AcroForm Use-After-Free Information Disclosure Vulnerability

Foxit PDF Reader AcroForm Use-After-Free Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-24491.

Action-Not Available
Vendor-Foxit Software Incorporated
Product-pdf_editorpdf_readerPDF Reader
CWE ID-CWE-416
Use After Free
CVE-2018-1174
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 42.32%
||
7 Day CHG~0.00%
Published-17 May, 2018 | 15:00
Updated-05 Aug, 2024 | 03:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the bitmapDPI attribute of PrintParams objects. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5437.

Action-Not Available
Vendor-Foxit Software Incorporated
Product-phantompdffoxit_readerFoxit Reader
CWE ID-CWE-665
Improper Initialization
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-8059
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.01% / 0.96%
||
7 Day CHG~0.00%
Published-05 May, 2017 | 07:04
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Acceptance of invalid/self-signed TLS certificates in "Foxit PDF - PDF reader, editor, form, signature" before 5.4 for iOS allows a man-in-the-middle and/or physically proximate attacker to silently intercept login information (username/password), in addition to the static authentication token if the user is already logged in.

Action-Not Available
Vendor-n/aFoxit Software Incorporated
Product-foxit_pdfn/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2024-7722
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-3.3||LOW
EPSS-0.22% / 44.60%
||
7 Day CHG~0.00%
Published-21 Aug, 2024 | 16:04
Updated-18 Oct, 2024 | 15:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foxit PDF Reader Doc Object Use-After-Free Information Disclosure Vulnerability

Foxit PDF Reader Doc Object Use-After-Free Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Doc objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-23702.

Action-Not Available
Vendor-Foxit Software Incorporated
Product-pdf_editorpdf_readerPDF Reader
CWE ID-CWE-416
Use After Free
CVE-2021-34951
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-3.3||LOW
EPSS-0.51% / 65.45%
||
7 Day CHG~0.00%
Published-07 May, 2024 | 22:54
Updated-07 Aug, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foxit PDF Reader Annotation Use of Uninitialized Variable Information Disclosure Vulnerability

Foxit PDF Reader Annotation Use of Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Annotation objects. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-14395.

Action-Not Available
Vendor-Foxit Software IncorporatedMicrosoft Corporation
Product-windowspdf_editorpdf_readerPDF Readerphantompdfpdf_editorpdf_reader
CWE ID-CWE-457
Use of Uninitialized Variable
CVE-2022-37382
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-3.3||LOW
EPSS-1.04% / 76.58%
||
7 Day CHG~0.00%
Published-29 Mar, 2023 | 00:00
Updated-14 Feb, 2025 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader 11.2.1.53537. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the removeIcon method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-17383.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-pdf_editorwindowspdf_readerPDF Reader
CWE ID-CWE-416
Use After Free
CVE-2021-34973
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-3.3||LOW
EPSS-0.61% / 68.85%
||
7 Day CHG~0.00%
Published-07 May, 2024 | 22:54
Updated-13 Aug, 2025 | 15:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foxit PDF Reader PDF File Parsing Use-After-Free Information Disclosure Vulnerability

Foxit PDF Reader PDF File Parsing Use-After-Free Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-14968.

Action-Not Available
Vendor-Foxit Software IncorporatedMicrosoft Corporation
Product-pdf_readerpdf_editorwindowsPDF Readerpdf_reader
CWE ID-CWE-416
Use After Free
CVE-2019-6771
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-3.3||LOW
EPSS-0.65% / 69.82%
||
7 Day CHG~0.00%
Published-03 Jun, 2019 | 18:15
Updated-04 Aug, 2024 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 2019.010.20098. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the value property of a Field object within AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-8230.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-phantompdfwindowsfoxit_readerReader
CWE ID-CWE-416
Use After Free
CVE-2022-24358
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-0.66% / 70.21%
||
7 Day CHG~0.00%
Published-18 Feb, 2022 | 19:52
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Doc objects. By performing actions in JavaScript, an attacker can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15703.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-pdf_editorwindowspdf_readerPDF Reader
CWE ID-CWE-125
Out-of-bounds Read
CVE-2020-17427
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-0.58% / 67.84%
||
7 Day CHG+0.15%
Published-09 Feb, 2021 | 15:46
Updated-04 Aug, 2024 | 13:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.922. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of NEF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-11334.

Action-Not Available
Vendor-Foxit Software Incorporated
Product-foxit_studio_photoStudio Photo
CWE ID-CWE-125
Out-of-bounds Read
CVE-2024-30323
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-2.74% / 85.40%
||
7 Day CHG+0.71%
Published-03 Apr, 2024 | 16:21
Updated-11 Aug, 2025 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foxit PDF Reader template Out-Of-Bounds Read Remote Code Execution Vulnerability

Foxit PDF Reader template Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of template objects. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22501.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-pdf_editorpdf_readerwindowsPDF Readerpdf_readerpdf_editor
CWE ID-CWE-125
Out-of-bounds Read
CVE-2024-30353
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-2.74% / 85.40%
||
7 Day CHG+0.71%
Published-02 Apr, 2024 | 20:15
Updated-08 Aug, 2025 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foxit PDF Reader AcroForm Out-Of-Bounds Read Remote Code Execution Vulnerability

Foxit PDF Reader AcroForm Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Doc objects in AcroForms. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22807.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-windowspdf_readerpdf_editorPDF Readerpdf_readerpdf_editor
CWE ID-CWE-125
Out-of-bounds Read
CVE-2024-30341
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-2.41% / 84.46%
||
7 Day CHG+0.62%
Published-02 Apr, 2024 | 20:11
Updated-09 Jul, 2025 | 13:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foxit PDF Reader Doc Object Out-Of-Bounds Read Remote Code Execution Vulnerability

Foxit PDF Reader Doc Object Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Doc objects. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22709.

Action-Not Available
Vendor-Foxit Software IncorporatedMicrosoft Corporation
Product-pdf_readerpdf_editorwindowsPDF Reader
CWE ID-CWE-125
Out-of-bounds Read
CVE-2016-8878
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.36% / 57.49%
||
7 Day CHG~0.00%
Published-31 Oct, 2016 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out-of-Bounds read vulnerability in Foxit Reader and PhantomPDF before 8.1 on Windows, when the gflags app is enabled, allows remote attackers to execute arbitrary code via a crafted BMP image embedded in the XFA stream in a PDF document, aka "Data from Faulting Address may be used as a return value starting at FOXITREADER."

Action-Not Available
Vendor-n/aFoxit Software Incorporated
Product-phantompdfreadern/a
CWE ID-CWE-125
Out-of-bounds Read
CVE-2016-8876
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.36% / 57.49%
||
7 Day CHG~0.00%
Published-31 Oct, 2016 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out-of-Bounds read vulnerability in Foxit Reader and PhantomPDF before 8.1 on Windows, when the gflags app is enabled, allows remote attackers to execute arbitrary code via a crafted TIFF image embedded in the XFA stream in a PDF document, aka "Read Access Violation starting at FoxitReader."

Action-Not Available
Vendor-n/aFoxit Software Incorporated
Product-phantompdfreadern/a
CWE ID-CWE-125
Out-of-bounds Read
CVE-2024-12751
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-0.06% / 17.59%
||
7 Day CHG~0.00%
Published-30 Dec, 2024 | 20:13
Updated-08 Aug, 2025 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foxit PDF Reader AcroForm Out-Of-Bounds Read Remote Code Execution Vulnerability

Foxit PDF Reader AcroForm Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of AcroForms. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25344.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-windowspdf_readerpdf_editorPDF Reader
CWE ID-CWE-125
Out-of-bounds Read
CVE-2021-38564
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.1||CRITICAL
EPSS-0.02% / 4.36%
||
7 Day CHG~0.00%
Published-11 Aug, 2021 | 21:15
Updated-04 Aug, 2024 | 01:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Foxit PDF Reader before 11.0.1 and PDF Editor before 11.0.1. It allows an out-of-bounds read via util.scand.

Action-Not Available
Vendor-n/aFoxit Software Incorporated
Product-pdf_editorpdf_readern/a
CWE ID-CWE-125
Out-of-bounds Read
CVE-2021-34950
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-1.73% / 81.69%
||
7 Day CHG~0.00%
Published-07 May, 2024 | 22:54
Updated-13 Aug, 2025 | 15:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foxit PDF Reader Annotation Out-Of-Bounds Read Remote Code Execution Vulnerability

Foxit PDF Reader Annotation Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Annotation objects. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-14396.

Action-Not Available
Vendor-Foxit Software IncorporatedMicrosoft Corporation
Product-pdf_readerpdf_editorwindowsPDF Readerpdf_editorpdf_reader
CWE ID-CWE-125
Out-of-bounds Read
CVE-2016-8875
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.09% / 26.06%
||
7 Day CHG~0.00%
Published-31 Oct, 2016 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ConvertToPDF plugin in Foxit Reader and PhantomPDF before 8.1 on Windows, when the gflags app is enabled, allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted TIFF image, aka "Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at ConvertToPDF_x86!CreateFXPDFConvertor."

Action-Not Available
Vendor-n/aFoxit Software Incorporated
Product-phantompdfreadern/a
CWE ID-CWE-125
Out-of-bounds Read
CVE-2021-27271
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-4.54% / 88.74%
||
7 Day CHG~0.00%
Published-30 Mar, 2021 | 14:35
Updated-03 Aug, 2024 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.0.37527. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of U3D objects embedded in PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in an out-of-bounds read condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-12438.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-phantompdfwindowsfoxit_readerPhantomPDF
CWE ID-CWE-125
Out-of-bounds Read
CVE-2021-27261
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-4.57% / 88.78%
||
7 Day CHG~0.00%
Published-30 Mar, 2021 | 14:35
Updated-03 Aug, 2024 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.0.37527. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of U3D objects in PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-12269.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-phantompdfwindowsfoxit_readerPhantomPDF
CWE ID-CWE-125
Out-of-bounds Read
CVE-2020-12247
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.1||HIGH
EPSS-0.13% / 33.03%
||
7 Day CHG~0.00%
Published-04 Sep, 2020 | 03:32
Updated-04 Aug, 2024 | 11:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Foxit Reader and PhantomPDF before 10.0.1, and PhantomPDF before 9.7.3, attackers can obtain sensitive information from an out-of-bounds read because a text-string index continues to be used after splitting a string into two parts. A crash may also occur.

Action-Not Available
Vendor-n/aMicrosoft CorporationFoxit Software Incorporated
Product-phantompdfwindowsreadern/a
CWE ID-CWE-125
Out-of-bounds Read
CVE-2020-10898
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-2.84% / 85.67%
||
7 Day CHG~0.00%
Published-22 Apr, 2020 | 20:50
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.7.1.29511. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of U3D objects in PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-10195.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-phantompdfreaderwindowsPhantomPDF
CWE ID-CWE-125
Out-of-bounds Read
CVE-2020-10902
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-2.84% / 85.67%
||
7 Day CHG~0.00%
Published-22 Apr, 2020 | 20:51
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.7.1.29511. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of U3D objects in PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-10462.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-phantompdfreaderwindowsPhantomPDF
CWE ID-CWE-125
Out-of-bounds Read
CVE-2018-5680
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.51% / 80.44%
||
7 Day CHG~0.00%
Published-24 May, 2018 | 21:00
Updated-05 Aug, 2024 | 05:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader before 9.1 and PhantomPDF before 9.1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of specially crafted pdf files with embedded u3d images. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process, a different vulnerability than CVE-2018-5677 and CVE-2018-5679.

Action-Not Available
Vendor-n/aFoxit Software Incorporated
Product-phantompdfreadern/a
CWE ID-CWE-125
Out-of-bounds Read
CVE-2020-10895
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-2.84% / 85.67%
||
7 Day CHG~0.00%
Published-22 Apr, 2020 | 20:50
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.7.1.29511. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of U3D objects in PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-10191.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-phantompdfreaderwindowsPhantomPDF
CWE ID-CWE-125
Out-of-bounds Read
CVE-2018-3956
Matching Score-6
Assigner-Talos
ShareView Details
Matching Score-6
Assigner-Talos
CVSS Score-6.8||MEDIUM
EPSS-10.82% / 93.08%
||
7 Day CHG~0.00%
Published-30 Jan, 2019 | 22:00
Updated-16 Sep, 2024 | 23:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable out-of-bounds read vulnerability exists in the handling of certain XFA element attributes of Foxit Software's PDF Reader version 9.1.0.5096. A specially crafted PDF document can trigger an out-of-bounds read, which can disclose sensitive memory content and aid in exploitation when coupled with another vulnerability. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-phantompdfreaderwindowsFoxit
CWE ID-CWE-125
Out-of-bounds Read
CVE-2018-19347
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.1||HIGH
EPSS-0.07% / 22.30%
||
7 Day CHG~0.00%
Published-17 Nov, 2018 | 21:00
Updated-16 Sep, 2024 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Data from Faulting Address controls Branch Selection starting at U3DBrowser!PlugInMain+0x00000000000d11bb" issue.

Action-Not Available
Vendor-n/aFoxit Software Incorporated
Product-foxit_readeru3dn/a
CWE ID-CWE-125
Out-of-bounds Read
CVE-2019-13331
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-0.54% / 66.49%
||
7 Day CHG~0.00%
Published-03 Oct, 2019 | 21:33
Updated-04 Aug, 2024 | 23:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JPG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8838.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-readerwindowsReader
CWE ID-CWE-125
Out-of-bounds Read
CVE-2022-24908
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-2.32% / 84.18%
||
7 Day CHG~0.00%
Published-28 Mar, 2023 | 00:00
Updated-19 Feb, 2025 | 19:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 images. Crafted data in a JP2 image can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-16187.

Action-Not Available
Vendor-Foxit Software IncorporatedMicrosoft Corporation
Product-pdf_editorwindowspdf_readerPDF Reader
CWE ID-CWE-125
Out-of-bounds Read
CVE-2022-24971
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-0.97% / 75.67%
||
7 Day CHG~0.00%
Published-18 Feb, 2022 | 19:52
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JPEG2000 images. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15812.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-pdf_editorwindowspdf_readerPDF Reader
CWE ID-CWE-125
Out-of-bounds Read
CVE-2018-19343
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.1||HIGH
EPSS-0.07% / 22.30%
||
7 Day CHG~0.00%
Published-17 Nov, 2018 | 21:00
Updated-17 Sep, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read), obtain sensitive information, or possibly have unspecified other impact via a U3D sample because of a "Data from Faulting Address controls Code Flow starting at U3DBrowser!PlugInMain+0x00000000000f43ff" issue.

Action-Not Available
Vendor-n/aFoxit Software Incorporated
Product-foxit_readeru3dn/a
CWE ID-CWE-125
Out-of-bounds Read
CVE-2018-20312
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.03% / 5.45%
||
7 Day CHG~0.00%
Published-07 Jan, 2021 | 17:01
Updated-05 Aug, 2024 | 11:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a proxyDoAction race condition that can cause a stack-based buffer overflow or an out-of-bounds read, a different issue than CVE-2018-20310 because of a different opcode.

Action-Not Available
Vendor-n/aFoxit Software Incorporated
Product-phantompdfreadern/a
CWE ID-CWE-787
Out-of-bounds Write
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2022-24907
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-2.32% / 84.18%
||
7 Day CHG~0.00%
Published-28 Mar, 2023 | 00:00
Updated-19 Feb, 2025 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 images. Crafted data in a JP2 image can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-16186.

Action-Not Available
Vendor-Foxit Software IncorporatedMicrosoft Corporation
Product-pdf_editorwindowspdf_readerPDF Reader
CWE ID-CWE-125
Out-of-bounds Read
CVE-2019-6729
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-8.8||HIGH
EPSS-0.74% / 72.08%
||
7 Day CHG~0.00%
Published-19 Mar, 2019 | 19:56
Updated-04 Aug, 2024 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7423.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-phantompdfreaderwindowsReader
CWE ID-CWE-125
Out-of-bounds Read
CVE-2019-6731
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-8.8||HIGH
EPSS-0.74% / 72.08%
||
7 Day CHG~0.00%
Published-19 Mar, 2019 | 19:56
Updated-04 Aug, 2024 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of HTML files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7369.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-phantompdfreaderwindowsPhantomPDF
CWE ID-CWE-125
Out-of-bounds Read
CVE-2019-6765
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-0.76% / 72.31%
||
7 Day CHG~0.00%
Published-03 Jun, 2019 | 18:15
Updated-04 Aug, 2024 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF 9.4.1.16828. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of HTML files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8170.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-phantompdfwindowsfoxit_readerPhantomPDF
CWE ID-CWE-125
Out-of-bounds Read
CVE-2019-6985
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.13% / 33.00%
||
7 Day CHG~0.00%
Published-28 Jan, 2019 | 09:00
Updated-17 Sep, 2024 | 03:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Foxit 3D Plugin Beta before 9.4.0.16807 for Foxit Reader and PhantomPDF. The application could encounter an Out-of-Bounds Read in Indexing or a Heap Overflow and crash during handling of certain PDF files that embed specifically crafted 3D content, due to an array access violation.

Action-Not Available
Vendor-n/aMicrosoft CorporationFoxit Software Incorporated
Product-windows3dn/a
CWE ID-CWE-125
Out-of-bounds Read
CVE-2019-5007
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.1||HIGH
EPSS-0.14% / 34.82%
||
7 Day CHG~0.00%
Published-03 Jan, 2019 | 23:00
Updated-17 Sep, 2024 | 02:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Foxit Reader and PhantomPDF before 9.4 on Windows. It is an Out-of-Bounds Read Information Disclosure and crash due to a NULL pointer dereference when reading TIFF data during TIFF parsing.

Action-Not Available
Vendor-n/aMicrosoft CorporationFoxit Software Incorporated
Product-phantompdfwindowsfoxit_readern/a
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2023-38119
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-1.54% / 80.65%
||
7 Day CHG~0.00%
Published-03 May, 2024 | 01:59
Updated-12 Aug, 2025 | 18:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foxit PDF Reader AcroForm signature Out-Of-Bounds Read Remote Code Execution Vulnerability

Foxit PDF Reader AcroForm signature Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of signature fields. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-21326.

Action-Not Available
Vendor-Foxit Software IncorporatedMicrosoft Corporation
Product-pdf_readerpdf_editorwindowsPDF Readerpdf_reader
CWE ID-CWE-125
Out-of-bounds Read
CVE-2019-17136
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-1.33% / 79.10%
||
7 Day CHG~0.00%
Published-07 Feb, 2020 | 23:35
Updated-05 Aug, 2024 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of DXF files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8776.

Action-Not Available
Vendor-Foxit Software Incorporated
Product-phantompdfPhantomPDF
CWE ID-CWE-125
Out-of-bounds Read
CVE-2022-28681
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-2.5||LOW
EPSS-0.17% / 38.59%
||
7 Day CHG-0.53%
Published-18 Jul, 2022 | 18:42
Updated-03 Aug, 2024 | 06:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader 11.2.1.53537. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the deletePages method. By performing actions in JavaScript, an attacker can trigger a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-16825.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-pdf_editorwindowspdf_readerPDF Reader
CWE ID-CWE-125
Out-of-bounds Read
CVE-2019-13324
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-2.84% / 85.67%
||
7 Day CHG~0.00%
Published-03 Oct, 2019 | 21:28
Updated-04 Aug, 2024 | 23:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.909. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of TIFF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8782.

Action-Not Available
Vendor-Microsoft CorporationFoxit Software Incorporated
Product-windowsfoxit_studio_photoStudio Photo
CWE ID-CWE-125
Out-of-bounds Read
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • ...
  • 21
  • 22
  • Next
Details not found