CVE-2019-6754 — Path Traversal in Foxit Reader

CWE-22 — Path Traversal4 documents4 sources

Severity

7.8HIGHNVD

EPSS

1.2%

top 21.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Foxitsoftware Foxit Reader Foxitsoftware Phantompdf Foxit Reader

Timeline

PublishedJun 3

Latest updateMay 7

Description

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.3.10826. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the localFileStorage method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the c…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶NVDfoxitsoftware/foxit_reader9.4.1.16828

▶CVEListV5foxit/reader9.3.10826

▶NVDfoxitsoftware/phantompdf9.0.0 — 9.4.1.16828+1

Patches

Patch: www.foxitsoftware.com ↗Patch: www.foxitsoftware.com ↗

🔴Vulnerability Details

OSV

nghttp2 vulnerability↗2024-05-07

▶

GHSA

GHSA-53m2-mrx2-vg6r: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9↗2022-05-24

▶

CVEList

CVE-2019-6754: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9↗2019-06-03

▶