PT-2020-17562 · Foxit · Foxit Reader+1
Published
2020-12-31
·
Updated
2021-09-08
·
CVE-2020-35931
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Foxit Reader versions prior to 10.1.1
Foxit Reader version prior to 4.1.1 on macOS
PhantomPDF versions prior to 9.7.5
PhantomPDF versions 10.x prior to 10.1.1
PhantomPDF version prior to 4.1.1 on macOS
Description
An issue allows an attacker to spoof a certified PDF document via an Evil Annotation Attack. This is because the products fail to consider a null value for a
Subtype entry of the Annotation dictionary, in an incremental update.Recommendations
For Foxit Reader versions prior to 10.1.1, update to version 10.1.1 or later.
For Foxit Reader version prior to 4.1.1 on macOS, update to version 4.1.1 or later.
For PhantomPDF versions prior to 9.7.5, update to version 9.7.5 or later.
For PhantomPDF versions 10.x prior to 10.1.1, update to version 10.1.1 or later.
For PhantomPDF version prior to 4.1.1 on macOS, update to version 4.1.1 or later.
Fix
Improper Check for Exceptional Conditions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Foxit Reader
Phantompdf