V
Scaner-VS
HomeCatalogSourcesCWECAPECATT&CKMitigationsProductsVendorsDocs
CVE-2018-18689
CVE
Medium

The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signa…

CVSS
5.3
Medium
EPSS
0.04
p88
Published
2018-01-01
Updated
2018-01-01
Description

The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, a Signature Wrapping vulnerability exists in multiple products. An attacker can use /ByteRange and xref manipulations that are not detected by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects eXpert PDF 12 Ultimate, Expert PDF Reader, Nitro Pro, Nitro Reader, PDF Architect 6, PDF Editor 6 Pro, PDF Experte 9 Ultimate, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, PDF-XChange Editor and Viewer, Perfect PDF 10 Premium, Perfect PDF Reader, Soda PDF, and Soda PDF Desktop.

Tags · CWE
Pre-auth
CWE-347
CAPEC-463
CAPEC-475
Affected products
Expert_pdf_readerExpert_pdf_ultimateFoxit_readerFoxit_readerFoxit_readerNitro_proNitro_readerPdf-xchange_editorPdf-xchange_viewerPdf_architectPdf_editor_6Pdf_editor_6Pdf_experte_ultimatePdf_studioPdf_studioPdf_studioPdf_studio_viewer_2018Pdf_studio_viewer_2018Pdf_studio_viewer_2018Pdfelement6
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Timeline
2018-01-01
Published
2018-01-01
Updated
CVSS 3.1 breakdown
Attack Vector
AV: N
Network (N)
Attack Complexity
AC: L
Low (L)
Privileges Required
PR: N
None (N)
User Interaction
UI: N
None (N)
Scope
S: U
Unchanged (U)
Confidentiality Impact
C: L
Low (L)
Integrity Impact
I: N
None (N)
Availability Impact
A: N
None (N)
Exploit indicators
EPSS
0.037 · p88
Known exploited (KEV)
No
Known exploits — Сканер-ВС
No Сканер-ВС checks registered for this vulnerability yet.
Affected products
ProductVendorStatus
expert_pdf_reader*Tracked
expert_pdf_ultimate*Tracked
foxit_reader*Tracked
foxit_reader*Tracked
foxit_reader*Tracked
nitro_pro*Tracked
nitro_reader*Tracked
pdf-xchange_editor*Tracked
pdf-xchange_viewer*Tracked
pdf_architect*Tracked
pdf_editor_6*Tracked
pdf_editor_6*Tracked
pdf_experte_ultimate*Tracked
pdf_studio*Tracked
pdf_studio*Tracked
pdf_studio*Tracked
pdf_studio_viewer_2018*Tracked
pdf_studio_viewer_2018*Tracked
pdf_studio_viewer_2018*Tracked
pdfelement6*Tracked
Showing first 20 of 25
Source databases
CVE