CVE-2023-35985

CWE-73CWE-610CWE-994 documents4 sources
Severity
8.8HIGH
EPSS
0.3%
top 44.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Foxit Foxit ReaderFoxitsoftware Foxit Reader
Timeline
PublishedNov 27

Description

An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to a failure to properly validate a dangerous extension. A specially crafted malicious file can create files at arbitrary locations, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted malicious site if the browser plugin

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5foxit/foxit_reader12.1.3.15356
NVDfoxitsoftware/foxit_reader12.1.3.15356

🔴Vulnerability Details

2
CVEList
CVE-2023-35985: An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 122023-11-27
GHSA
GHSA-9gj5-q54r-hcpr: An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 122023-11-27