CVE-2019-6758: Foxit Reader ConvertToPDF JPG File Parsing Use-After-Free Information Disclosure Vulnerability
First published: Mon Jun 03 2019(Updated: )
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.4.16811. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within ConvertToPDF_x86.dll. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-7701.
Credit: zdi-disclosures@trendmicro.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Foxitsoftware Foxit Reader | <=9.4.1.16828 | |
| Foxitsoftware Phantompdf | <=8.3.9.41099 | |
| Foxitsoftware Phantompdf | >=9.0.0<=9.4.1.16828 | |
| Microsoft Windows | ||
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2019-6758.
What software is affected by this vulnerability?
Foxit Reader versions up to 9.4.1.16828 and Phantompdf versions up to 8.3.9.41099 and between 9.0.0 and 9.4.1.16828 are affected.
How severe is CVE-2019-6758?
CVE-2019-6758 has a severity rating of 5.5 (medium).
What is the impact of this vulnerability?
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader.
How can I fix this vulnerability?
It is recommended to update to the latest version of Foxit Reader or Phantompdf to fix this vulnerability.
- agent/references
- agent/type
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/severity
- agent/weakness
- agent/author
- agent/remedy
- agent/title
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/event
- agent/first-publish-date
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-19-432
- alias/ZDI-CAN-7701
- alias/CVE-2019-6758
- agent/software-canonical-lookup
- vendor/foxitsoftware
- canonical/foxitsoftware foxit reader
- version/foxitsoftware foxit reader/9.4.1.16828
- canonical/foxitsoftware phantompdf
- version/foxitsoftware phantompdf/8.3.9.41099
- version/foxitsoftware phantompdf/9.0.0
- version/foxitsoftware phantompdf/9.4.1.16828
- vendor/microsoft
- canonical/microsoft windows
- vendor/foxit
- canonical/foxit reader