CVE-2009-0836
published 2009-03-10CVE-2009-0836: Foxit Reader 2.3 before Build 3902 and 3.0 before Build 1506, including 1120 and 1301, does not require user confirmation before performing dangerous actions…
PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
40.86%
98.5th percentile
Foxit Reader 2.3 before Build 3902 and 3.0 before Build 1506, including 1120 and 1301, does not require user confirmation before performing dangerous actions defined in a PDF file, which allows remote attackers to execute arbitrary programs and have unspecified other impact via a crafted file, as demonstrated by the "Open/Execute a file" action.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| foxitsoftware | foxit_reader | <= 3.2.0.0303 | — |
| foxitsoftware | foxit_reader | — | — |
| foxitsoftware | foxit_reader | — | — |
| foxitsoftware | foxit_reader | — | — |
| foxitsoftware | foxit_reader | — | — |
| foxitsoftware | foxit_reader | — | — |
| foxitsoftware | foxit_reader | — | — |
| foxitsoftware | reader | — | — |
| foxitsoftware | reader | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect PDF files containing a '/Type /Action /S /Launch' sequence, which can be used to execute arbitrary local programs via Foxit Reader ↗
- →Detect PDF files containing a '/Launch /Action' sequence used to execute arbitrary programs embedded in a PDF document ↗
- →Target is Foxit Reader build 1120; flag use of this specific build in the environment as vulnerable to authorization bypass via Open/Execute PDF actions ↗
- ·The vulnerability affects Foxit Reader before version 3.2.1.0401; the Metasploit module specifically targets build 1120. Detection should be scoped to these versions. ↗
- ·Exploitation requires no confirmation from the victim, meaning no user interaction prompt is triggered — passive/behavioral detection is necessary as the user will not see a warning dialog. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xp5q-j3fq-3qw3: Foxit Reader 2
ghsa_unreviewed·2022-05-02
CVE-2009-0836 [HIGH] CWE-119 GHSA-xp5q-j3fq-3qw3: Foxit Reader 2
Foxit Reader 2.3 before Build 3902 and 3.0 before Build 1506, including 1120 and 1301, does not require user confirmation before performing dangerous actions defined in a PDF file, which allows remote attackers to execute arbitrary programs and have unspecified other impact via a crafted file, as demonstrated by the "Open/Execute a file" action.
GHSA
GHSA-54xc-2c9p-qfwj: Foxit Reader before 3
ghsa_unreviewed·2022-05-02·CVSS 10.0
CVE-2010-1239 [CRITICAL] CWE-94 GHSA-54xc-2c9p-qfwj: Foxit Reader before 3
Foxit Reader before 3.2.1.0401 allows remote attackers to (1) execute arbitrary local programs via a certain "/Type /Action /S /Launch" sequence, and (2) execute arbitrary programs embedded in a PDF document via an unspecified "/Launch /Action" sequence, a related issue to CVE-2009-0836.
No detection rules found.
No writeups or analysis indexed.
http://blog.zoller.lu/2009/03/remote-code-execution-in-pdf-still.htmlhttp://lists.immunitysec.com/pipermail/dailydave/2010-April/006079.htmlhttp://secunia.com/advisories/34036http://www.coresecurity.com/content/foxit-reader-vulnerabilitieshttp://www.foxitsoftware.com/pdf/reader/security.htm#bypasshttp://www.securityfocus.com/archive/1/501623/100/0/threadedhttp://www.securityfocus.com/bid/34035http://www.securitytracker.com/id?1021824http://www.vupen.com/english/advisories/2009/0634http://blog.zoller.lu/2009/03/remote-code-execution-in-pdf-still.htmlhttp://lists.immunitysec.com/pipermail/dailydave/2010-April/006079.htmlhttp://secunia.com/advisories/34036http://www.coresecurity.com/content/foxit-reader-vulnerabilitieshttp://www.foxitsoftware.com/pdf/reader/security.htm#bypasshttp://www.securityfocus.com/archive/1/501623/100/0/threadedhttp://www.securityfocus.com/bid/34035http://www.securitytracker.com/id?1021824http://www.vupen.com/english/advisories/2009/0634
2009-03-10
Published