Foxit Reader and PhantomPDF Multiple Code Execution Vulnerabilities

Recently, ZDI published two 0day advisories ZDI-17-691 and ZDI-17-692 for vulnerabilities in Foxit Reader & PhantomPDF. These are Command Injection and File Write vulnerabilities that can be triggered through the JavaScript API in Foxit Reader. These vulnerabilities are not memory corruption vulnerabilities. Details: CVE-2017-10951 (ZDI-CAN-4724): This allows the “app.launchURL” method to execute a system call … Continue reading “Foxit Reader and PhantomPDF Multiple Code Execution Vulnerabilities”