CVE-2019-5145Use After Free in Reader

CWE-416Use After Free3 documents3 sources
Severity
8.8HIGHNVD
EPSS
8.5%
top 7.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Foxitsoftware PhantompdfFoxitsoftware ReaderFoxitsoftware Foxit Reader
Timeline
PublishedJan 16
Latest updateMay 24

Description

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit PDF Reader, version 9.7.0.29435. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

NVDfoxitsoftware/reader9.7.0.29435
CVEListV5foxitsoftware/foxit_readerFoxit Software Foxit PDF Reader 9.7.0.29435
NVDfoxitsoftware/phantompdf9.7.0.29435

🔴Vulnerability Details

2
GHSA
GHSA-6cr6-42wp-f2fm: An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit PDF Reader, version 92022-05-24
CVEList
CVE-2019-5145: An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit PDF Reader, version 92020-01-16
CVE-2019-5145 — Use After Free in Foxitsoftware Reader | cvebase