CVE-2019-14210

Vulnerability

An issue was discovered in Foxit PhantomPDF before version 8.3.10. The application is vulnerable to memory corruption due to the use of an invalid pointer copy, which originates from a destructed string object. No special configuration is required to trigger the vulnerability; it can be exploited when the application processes a crafted PDF file.

Exploitation

To exploit this vulnerability, an attacker must convince a user to open a specially crafted PDF file with Foxit PhantomPDF (or later Foxit PDF Editor). No additional privileges or network access are required beyond standard user interaction. The malicious file triggers the invalid pointer copy, leading to memory corruption.

Impact

Successful exploitation could lead to arbitrary code execution in the context of the affected application, or potentially cause a denial of service due to memory corruption. The attacker could gain the same privileges as the user running the software, which may allow further compromise of the system.

Mitigation

Foxit released a fix in PhantomPDF version 8.3.10. Users should update to this version or later. The affected product has been rebranded as Foxit PDF Editor, and subsequent versions incorporate the fix as listed in the Foxit security bulletins [1]. No workarounds are available.