Vulnerability Details : CVE-2023-35985
Potential exploit
An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to a failure to properly validate a dangerous extension. A specially crafted malicious file can create files at arbitrary locations, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted malicious site if the browser plugin extension is enabled.
Vulnerability category: File inclusion
Products affected by CVE-2023-35985
- cpe:2.3:a:foxitsoftware:foxit_reader:12.1.3.15356:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-35985
2.38%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-35985
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
Talos |
CWE ids for CVE-2023-35985
-
The product allows user input to control or influence paths or file names that are used in filesystem operations.Assigned by: talos-cna@cisco.com (Secondary)
-
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-35985
-
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1834
-
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1834
TALOS-2023-1834 || Cisco Talos Intelligence Group - Comprehensive Threat IntelligenceExploit;Third Party Advisory
Jump to