CVE-2018-18689

CWE-3473 documents3 sources

Severity

5.3MEDIUM

EPSS

0.0%

top 99.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Avanquest Expert PDF Ultimate Avanquest PDF Experte Ultimate Foxitsoftware Foxit Reader +14 more

Timeline

PublishedJan 7

Latest updateMay 24

Description

The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, a Signature Wrapping vulnerability exists in multiple products. An attacker can use /ByteRange and xref manipulations that are not detected by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects eXpert PDF 12 Ultimate, Expert PDF Reader, Nitro Pro, Nitro Read…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages17 packages

▶NVDgonitro/nitro_reader5.5.9.2

▶NVDvisagesoft/expert_pdf_reader9.0.180

▶NVDsoft-xpansion/perfect_pdf_reader13.0.3, 13.1.5+1

▶NVDfoxitsoftware/foxit_reader4 versions+3

▶NVDqoppa/pdf_studio_viewer_20182018.0.1, 2018.2.0+1

🔴Vulnerability Details

GHSA

GHSA-wmqc-jfc8-pfm5: The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures↗2022-05-24

▶

CVEList

CVE-2018-18689: The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures↗2021-01-07

▶