CVE-2020-13811

Vulnerability

A out-of-bounds write vulnerability exists in Foxit Studio Photo versions prior to 3.6.6.922 [1]. The flaw resides in the TIFF image parsing code, where processing a specially crafted TIFF file can cause a write beyond the allocated memory buffer. No special configuration beyond opening the malicious file is required.

Exploitation

An attacker can exploit this vulnerability by convincing a user to open a crafted TIFF file in Foxit Studio Photo [1]. No authentication or special network position is required—the attack vector is local through file opening. The user interaction needed is simply double-clicking or opening the malicious file.

Impact

Successful exploitation allows an attacker to write out-of-bounds memory, which can lead to arbitrary code execution in the context of the application [1]. This could result in full compromise of the affected system, including data theft, malware installation, or further propagation.

Mitigation

Foxit released version 3.6.6.922 to address this vulnerability [1]. Users should update to this version or later. No workarounds are documented. The CVE is not listed on the CISA KEV as of the publication date.