CVE-2020-35931 — Improper Check for Unusual or Exceptional Conditions in Foxit Reader

CWE-754 — Improper Check for Unusual or Exceptional Conditions3 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 72.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Foxitsoftware Foxit Reader Foxitsoftware Phantompdf

Timeline

PublishedDec 31

Latest updateMay 24

Description

An issue was discovered in Foxit Reader before 10.1.1 (and before 4.1.1 on macOS) and PhantomPDF before 9.7.5 and 10.x before 10.1.1 (and before 4.1.1 on macOS). An attacker can spoof a certified PDF document via an Evil Annotation Attack because the products fail to consider a null value for a Subtype entry of the Annotation dictionary, in an incremental update.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDfoxitsoftware/phantompdf10.0.0 — 10.1.1+2

▶NVDfoxitsoftware/foxit_reader< 10.1.1+1

Patches

Patch: www.foxitsoftware.com ↗Patch: www.foxitsoftware.com ↗

🔴Vulnerability Details

GHSA

GHSA-xq8j-8h49-q9q4: An issue was discovered in Foxit Reader before 10↗2022-05-24

▶

CVEList

CVE-2020-35931: An issue was discovered in Foxit Reader before 10↗2020-12-31

▶