Foxit Reader
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Foxit Reader.
By the Year
In 2026 there have been 0 vulnerabilities in Foxit Reader. Last year, in 2025 Reader had 1 security vulnerability published. Right now, Reader is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 0.00 |
| 2024 | 1 | 8.80 |
| 2023 | 3 | 8.80 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 6.10 |
| 2020 | 15 | 0.00 |
| 2019 | 11 | 0.00 |
| 2018 | 97 | 0.00 |
It may take a day or so for new Reader vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Foxit Reader Security Vulnerabilities
Foxit PDF Reader <4.3.1.0218 Arbitrary File Write via createDataObject() API
CVE-2011-10030
- August 20, 2025
Foxit PDF Reader < 4.3.1.0218 exposes a JavaScript API function, createDataObject(), that allows untrusted PDF content to write arbitrary files anywhere on disk. By embedding a malicious PDF that calls this API, an attacker can drop executables or scripts into privileged folders, leading to code execution the next time the system boots or the user logs in.
External Control of File Name or Path
UAF in Foxit Reader 2024.1.0.23997 Barcode widget
CVE-2024-25938
8.8 - High
- April 30, 2024
A use-after-free vulnerability exists in the way Foxit Reader 2024.1.0.23997 handles a Barcode widget. A specially crafted JavaScript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.
Dangling pointer
UAOF in Foxit Reader 12.1.2.15356: Code Exec via Signature Field
CVE-2023-38573
8.8 - High
- November 27, 2023
A use-after-free vulnerability exists in the way Foxit Reader 12.1.2.15356 handles a signature field. A specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.
Dangling pointer
Foxit Reader 12.1.3.15356 JS saveAs API RCE
CVE-2023-39542
8.8 - High
- November 27, 2023
A code execution vulnerability exists in the Javascript saveAs API of Foxit Reader 12.1.3.15356. A specially crafted malformed file can create arbitrary files, which can lead to remote code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.
External Control of File Name or Path
Foxit Reader 12.1.3.15356 JS API arbitrary file creation CVE-2023-40194
CVE-2023-40194
8.8 - High
- November 27, 2023
An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to mistreatment of whitespace characters. A specially crafted malicious file can create files at arbitrary locations, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.
External Control of File Name or Path
Foxit PDF SDK For Web through 7.5.0 allows XSS
CVE-2021-27517
6.1 - Medium
- July 20, 2021
Foxit PDF SDK For Web through 7.5.0 allows XSS. There is arbitrary JavaScript code execution in the browser if a victim uploads a malicious PDF document containing embedded JavaScript code that abuses app.alert (in the Acrobat JavaScript API).
XSS
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.0.1.35811
CVE-2020-17417
- October 13, 2020
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.0.1.35811. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-11657.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.0.0.35798
CVE-2020-17416
- October 13, 2020
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.0.0.35798. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JPEG2000 images. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-11497.
Memory Corruption
This vulnerability allows local attackers to escalate privileges on affected installations of Foxit Reader 10.0.0.35798
CVE-2020-17414
- October 13, 2020
This vulnerability allows local attackers to escalate privileges on affected installations of Foxit Reader 10.0.0.35798. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of the configuration files used by the Foxit Reader Update Service. The issue results from incorrect permissions set on a resource used by the service. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM. Was ZDI-CAN-11229.
Incorrect Permission Assignment for Critical Resource
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.1.29511
CVE-2020-10907
- April 22, 2020
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.1.29511. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of widgets in XFA forms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-10650.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.1.29511
CVE-2020-10906
- April 22, 2020
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.1.29511. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the resetForm method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-10614.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.1.29511
CVE-2020-10900
- April 22, 2020
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.1.29511. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-10142.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.1.29511
CVE-2020-10899
- April 22, 2020
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.1.29511. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of XFA templates. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-10132.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455
CVE-2020-8857
- February 14, 2020
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of form Annotation objects within AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9862.
Dangling pointer
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 9.7.0.29455
CVE-2020-8852
- February 14, 2020
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPEG2000 files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-9416.
Out-of-bounds Read
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455
CVE-2020-8851
- February 14, 2020
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPG2000 images. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9406.
Memory Corruption
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455
CVE-2020-8850
- February 14, 2020
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPEG2000 files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9415.
Memory Corruption
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455
CVE-2020-8849
- February 14, 2020
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPEG2000 files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9413.
Memory Corruption
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455
CVE-2020-8848
- February 14, 2020
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPG2000 images. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9407.
Memory Corruption
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455
CVE-2020-8847
- February 14, 2020
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPEG2000 files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9414.
Memory Corruption
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.6.0.25114
CVE-2020-8844
- February 14, 2020
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.6.0.25114. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JPEG files within CovertToPDF. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9102.
Integer Overflow or Wraparound
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723
CVE-2019-13320
- October 04, 2019
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8814.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723
CVE-2019-13319
- October 04, 2019
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of XFA forms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8669.
Dangling pointer
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 9.5.0.20723
CVE-2019-13318
- October 04, 2019
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of the util.printf Javascript method. The application processes the %p parameter in the format string, allowing heap addresses to be returned to the script. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-8544.
Use of Externally-Controlled Format String
This vulnerability allows remote atackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723
CVE-2019-13315
- October 04, 2019
This vulnerability allows remote atackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the removeField method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8656.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5
CVE-2019-13329
- October 03, 2019
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of TIF files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8695.
Object Type Confusion
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723
CVE-2019-13328
- October 03, 2019
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of fields within Acroform objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8913.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723
CVE-2019-13327
- October 03, 2019
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of fields within Acroform objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8888.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723
CVE-2019-13326
- October 03, 2019
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of fields within Acroform objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8864.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.6.0.25114
CVE-2019-13332
- October 03, 2019
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.6.0.25114. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of templates in XFA forms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9149.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723
CVE-2019-13331
- October 03, 2019
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JPG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8838.
Out-of-bounds Read
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723
CVE-2019-13330
- October 03, 2019
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPG files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8742.
Object Type Confusion
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.1.0.5096
CVE-2018-14317
- August 30, 2018
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.1.0.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6683.
Object Type Confusion
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096
CVE-2018-14297
- July 31, 2018
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of FreeText annotations. By manipulating a document's elements, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-6213.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049
CVE-2018-14280
- July 31, 2018
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the exportAsFDF XFA function. The issue results from the lack of proper validation of user-supplied data, which can lead to writing arbitrary files into attacker controlled locations. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5619.
Protection Mechanism Failure
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096
CVE-2018-14296
- July 31, 2018
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of Circle annotations. By manipulating a document's elements, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-6212.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096
CVE-2018-14294
- July 31, 2018
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of FileAttachment annotations. By manipulating a document's elements an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-6211.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.1.0.5096
CVE-2018-14293
- July 31, 2018
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.1.0.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF documents. By manipulating a document's elements, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-6233.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096
CVE-2018-14292
- July 31, 2018
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF documents. By manipulating a document's elements, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-6232.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096
CVE-2018-14291
- July 31, 2018
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF documents. By manipulating a document's elements, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-6231.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096
CVE-2018-14290
- July 31, 2018
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF documents. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-6222.
Heap-based Buffer Overflow
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.0.1.5096
CVE-2018-14289
- July 31, 2018
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF documents. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-6221.
Out-of-bounds Read
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049
CVE-2018-14284
- July 31, 2018
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the newDoc function. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5773.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049
CVE-2018-14278
- July 31, 2018
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the getPageNumWords method. By performing actions in JavaScript, an attacker can trigger a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-6058.
Object Type Confusion
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049
CVE-2018-14281
- July 31, 2018
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the exportData XFA function. The issue results from the lack of proper validation of user-supplied data, which can lead to writing arbitrary files into attacker controlled locations. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5757.
Protection Mechanism Failure
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049
CVE-2018-14282
- July 31, 2018
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of FlateDecode streams. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5763.
Improper Initialization
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049
CVE-2018-14283
- July 31, 2018
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the highlightMode attribute. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5771.
Dangling pointer
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049
CVE-2018-14286
- July 31, 2018
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of arguments passed to the mailDoc function. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5770.
Object Type Confusion
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049
CVE-2018-14287
- July 31, 2018
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of arguments passed to the instanceManager.nodes.append function. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5641.
Object Type Confusion
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049
CVE-2018-14288
- July 31, 2018
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of arguments passed to the setFocus function. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5642.
Dangling pointer
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Foxit Reader or by Foxit? Click the Watch button to subscribe.
