CVE-2019-13318

MEDIUM

Foxitsoftware Reader < 9.5.0.20723 - Format String Vulnerability

Title source: rule

Description

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of the util.printf Javascript method. The application processes the %p parameter in the format string, allowing heap addresses to be returned to the script. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-8544.

References (2)

[Release Notes, Vendor Advisory] https://www.foxitsoftware.com/support/security-bulletins.php

[Third Party Advisory, VDB Entry] https://www.zerodayinitiative.com/advisories/ZDI-19-635/

Scores

CVSS v3 5.5

EPSS 0.0091

EPSS Percentile 75.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Details

CWE

CWE-134

Status published

Products (2)

foxitsoftware/phantompdf < 8.3.10.42705

foxitsoftware/reader < 9.5.0.20723

Published Oct 04, 2019

Tracked Since Feb 18, 2026