Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2018-18688

Опубликовано: 07 янв. 2021
Источник: nvd
CVSS3: 5.3
CVSS2: 5
EPSS Низкий

Описание

The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, an Incremental Saving vulnerability exists in multiple products. When an attacker uses the Incremental Saving feature to add pages or annotations, Body Updates are displayed to the user without any action by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects LibreOffice, Master PDF Editor, Nitro Pro, Nitro Reader, Nuance Power PDF Standard, PDF Editor 6 Pro, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, Perfect PDF 10 Premium, and Perfect PDF Reader.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одновременно

Одно из

cpe:2.3:a:code-industry:master_pdf_editor:5.1.12:*:*:*:*:*:*:*
cpe:2.3:a:code-industry:master_pdf_editor:5.1.68:*:*:*:*:*:*:*
cpe:2.3:a:foxitsoftware:foxit_reader:9.4:*:*:*:*:*:*:*
cpe:2.3:a:foxitsoftware:phantompdf:*:*:*:*:*:*:*:*
Версия от 9.0 (включая) до 9.4 (исключая)
cpe:2.3:a:foxitsoftware:phantompdf:8.3.9:*:*:*:*:*:*:*
cpe:2.3:a:gonitro:nitro_pro:11.0.3.173:*:*:*:*:*:*:*
cpe:2.3:a:gonitro:nitro_reader:5.5.9.2:*:*:*:*:*:*:*
cpe:2.3:a:iskysoft:pdf_editor_6:6.4.2.3521:*:*:*:professional:*:*:*
cpe:2.3:a:iskysoft:pdfelement6:6.8.0.3523:*:*:*:professional:*:*:*
cpe:2.3:a:iskysoft:pdfelement6:6.8.4.3921:*:*:*:professional:*:*:*
cpe:2.3:a:libreoffice:libreoffice:6.0.6.2:*:*:*:*:*:*:*
cpe:2.3:a:libreoffice:libreoffice:6.1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:nuance:power_pdf_standard:3.0.0.17:*:*:*:*:*:*:*
cpe:2.3:a:nuance:power_pdf_standard:3.0.0.30:*:*:*:*:*:*:*
cpe:2.3:a:nuance:power_pdf_standard:7.0:*:*:*:*:*:*:*
cpe:2.3:a:qoppa:pdf_studio:12.0.7:*:*:*:professional:*:*:*
cpe:2.3:a:qoppa:pdf_studio_viewer_2018:2018.0.1:*:*:*:*:*:*:*
cpe:2.3:a:qoppa:pdf_studio_viewer_2018:2018.2.0:*:*:*:*:*:*:*
cpe:2.3:a:soft-xpansion:perfect_pdf_10:10.0.0.1:*:*:*:premium:*:*:*
cpe:2.3:a:soft-xpansion:perfect_pdf_reader:13.0.3:*:*:*:*:*:*:*
cpe:2.3:a:soft-xpansion:perfect_pdf_reader:13.1.5:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Конфигурация 2

Одновременно

Одно из

cpe:2.3:a:code-industry:master_pdf_editor:5.1.12:*:*:*:*:*:*:*
cpe:2.3:a:code-industry:master_pdf_editor:5.1.68:*:*:*:*:*:*:*
cpe:2.3:a:foxitsoftware:foxit_reader:9.1.0:*:*:*:*:*:*:*
cpe:2.3:a:foxitsoftware:foxit_reader:9.2.0:*:*:*:*:*:*:*
cpe:2.3:a:libreoffice:libreoffice:6.0.6.2:*:*:*:*:*:*:*
cpe:2.3:a:libreoffice:libreoffice:6.1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:qoppa:pdf_studio:12.0.7:*:*:*:professional:*:*:*
cpe:2.3:a:qoppa:pdf_studio_viewer_2018:2018.0.1:*:*:*:*:*:*:*
cpe:2.3:a:qoppa:pdf_studio_viewer_2018:2018.2.0:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
Конфигурация 3

Одновременно

Одно из

cpe:2.3:a:code-industry:master_pdf_editor:5.1.24:*:*:*:*:*:*:*
cpe:2.3:a:code-industry:master_pdf_editor:5.1.68:*:*:*:*:*:*:*
cpe:2.3:a:foxitsoftware:foxit_reader:9.1.0:*:*:*:*:*:*:*
cpe:2.3:a:foxitsoftware:foxit_reader:9.2.0:*:*:*:*:*:*:*
cpe:2.3:a:iskysoft:pdf_editor_6:6.6.2.3315:*:*:*:professional:*:*:*
cpe:2.3:a:iskysoft:pdf_editor_6:6.7.6.3399:*:*:*:professional:*:*:*
cpe:2.3:a:iskysoft:pdfelement6:6.7.1.3355:*:*:*:professional:*:*:*
cpe:2.3:a:iskysoft:pdfelement6:6.7.6.3399:*:*:*:professional:*:*:*
cpe:2.3:a:libreoffice:libreoffice:6.1.0.3:*:*:*:*:*:*:*
cpe:2.3:a:libreoffice:libreoffice:6.1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:qoppa:pdf_studio:12.0.7:*:*:*:professional:*:*:*
cpe:2.3:a:qoppa:pdf_studio_viewer_2018:2018.0.1:*:*:*:*:*:*:*
cpe:2.3:a:qoppa:pdf_studio_viewer_2018:2018.2.0:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

EPSS

Процентиль: 0%
0.00002
Низкий

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-347

Связанные уязвимости

github логотип

GHSA-q966-hp9v-pw89

github
больше 3 лет назад

The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, an Incremental Saving vulnerability exists in multiple products. When an attacker uses the Incremental Saving feature to add pages or annotations, Body Updates are displayed to the user without any action by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects LibreOffice, Master PDF Editor, Nitro Pro, Nitro Reader, Nuance Power PDF Standard, PDF Editor 6 Pro, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, Perfect PDF 10 Premium, and Perfect PDF Reader.

EPSS

Процентиль: 0%
0.00002
Низкий

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-347