CVE-2020-10912

Name of the Vulnerable Software and Affected Versions Foxit PhantomPDF version 9.7.0.29478

Description The issue is related to a type confusion condition due to the lack of proper validation of user-supplied data in the handling of the SetFieldValue command of the communication API. This can allow a remote attacker to execute arbitrary code on affected installations, but user interaction is required, such as visiting a malicious page or opening a malicious file. The exploitation of this issue can result in the execution of code in the context of the current process.

Recommendations For Foxit PhantomPDF version 9.7.0.29478, consider restricting access to the SetFieldValue command until a patch is available. As a temporary workaround, avoid using the SetFieldValue command in the communication API to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.