CVE-2024-28888

Опубликовано: 02 окт. 2024

Источник: nvd

CVSS3: 8.8

EPSS Низкий

Описание

A use-after-free vulnerability exists in the way Foxit Reader 2024.1.0.23997 handles a checkbox field object. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

Ссылки

https://talosintelligence.com/vulnerability_reports/TALOS-2024-1967
Exploit
Third Party Advisory
https://www.foxit.com/support/security-bulletins.html
Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1967

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:foxit:pdf_reader:2024.1.0.23997:*:*:*:*:*:*:*

EPSS

Процентиль: 86%

0.03049

Низкий

8.8 High

CVSS3

Дефекты

CWE-416

Связанные уязвимости

GHSA-v876-7vq8-2gf7

CVSS3: 8.8

github

больше 1 года назад

A use-after-free vulnerability exists in the way Foxit Reade 2024.1.0.23997 handles a checkbox field object. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

EPSS

Процентиль: 86%

0.03049

Низкий

8.8 High

CVSS3

Дефекты

CWE-416