CVE-2018-7407Incorrect Type Conversion or Cast in Phantompdf

CWE-704Incorrect Type Conversion or Cast3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.6%
top 30.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Foxitsoftware PhantompdfFoxitsoftware Reader
Timeline
PublishedMay 24
Latest updateMay 14

Description

An issue was discovered in Foxit Reader before 9.1 and PhantomPDF before 9.1. This vulnerability allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists when rendering U3D images inside of pdf files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDfoxitsoftware/reader9.0.1.1049
NVDfoxitsoftware/phantompdf9.0.1.1049

🔴Vulnerability Details

2
GHSA
GHSA-77v3-jwwq-rc2m: An issue was discovered in Foxit Reader before 92022-05-14
CVEList
CVE-2018-7407: An issue was discovered in Foxit Reader before 92018-05-24
CVE-2018-7407 — Incorrect Type Conversion or Cast | cvebase