CVE-2018-18688
MEDIUMMultiple PDF Editors - Improper Verification of Cryptographic Signature via Incremental Saving
Title source: llmDescription
The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, an Incremental Saving vulnerability exists in multiple products. When an attacker uses the Incremental Saving feature to add pages or annotations, Body Updates are displayed to the user without any action by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects LibreOffice, Master PDF Editor, Nitro Pro, Nitro Reader, Nuance Power PDF Standard, PDF Editor 6 Pro, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, Perfect PDF 10 Premium, and Perfect PDF Reader.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://www.foxitsoftware.com/support/security-bulletins.php
Third Party Advisory x_refsource_misc
https://pdf-insecurity.org/signature/evaluation_2018.html
Third Party Advisory x_refsource_misc
https://pdf-insecurity.org/signature/signature.html
Third Party Advisory x_refsource_misc
https://www.pdfa.org/recently-identified-pdf-digital-signature-vulnerabilities/
Scores
CVSS v3
5.3
EPSS
0.0000
EPSS Percentile
0.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-347
Status
published
Products (29)
code-industry/master_pdf_editor
5.1.12
code-industry/master_pdf_editor
5.1.68
code-industry/master_pdf_editor
5.1.24
foxitsoftware/foxit_reader
9.4
foxitsoftware/foxit_reader
9.1.0
foxitsoftware/foxit_reader
9.2.0
foxitsoftware/phantompdf
8.3.9
foxitsoftware/phantompdf
9.0 - 9.4
gonitro/nitro_pro
11.0.3.173
gonitro/nitro_reader
5.5.9.2
... and 19 more
Published
Jan 07, 2021
Tracked Since
Feb 18, 2026