CVE-2018-3962

CWE-416 — Use After Free4 documents4 sources

Severity

7.3HIGH

EPSS

0.2%

top 55.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Foxitsoftware Phantompdf Foxitsoftware Reader Foxit Foxit PDF Reader

Timeline

PublishedOct 2

Latest updateMay 13

Description

A use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader version 9.1.0.5096. A use-after-free condition can occur when accessing the CreationDate property of the this.info object. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.3 | Impact: 5.9

Affected Packages3 packages

▶NVDfoxitsoftware/reader9.2.0.9297

▶NVDfoxitsoftware/phantompdf9.2.0.9297

▶CVEListV5foxit/foxit_pdf_readerFoxit Software Foxit PDF Reader 9.1.0.5096.

Patches

Patch: www.foxitsoftware.com ↗

🔴Vulnerability Details

GHSA

GHSA-5q58-xhg6-989p: A use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader version 9↗2022-05-13

▶

CVEList

CVE-2018-3962: A use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader version 9↗2018-10-02

▶