CVE-2020-17403

Vulnerability

This vulnerability affects Foxit Studio Photo version 3.6.6.922. The flaw exists in the handling of PSD files; specifically, the application does not properly validate user-supplied data when parsing the file, leading to a write past the end of an allocated structure (a heap out-of-bounds write). This memory corruption can be triggered when the user opens a specially crafted PSD file or visits a malicious page that loads the file. [1][2]

Exploitation

An attacker can exploit this vulnerability by convincing a target to open a malicious PSD file or visit a malicious web page that triggers the file parsing. No special privileges or network position beyond delivering the file is required; user interaction is the only precondition. The exploit requires no authentication and can be delivered via email, download links, or web content. [2]

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current Foxit Studio Photo process. This can lead to complete compromise of the affected system, including data disclosure, modification, or deletion, as well as the potential to install malware or perform further attacks. The CVSS score is 7.8 (High), with impacts to confidentiality, integrity, and availability. [2]

Mitigation

Foxit has released a security bulletin addressing vulnerabilities in its products, but specific patch information for this issue (CVE-2020-17403) is not explicitly provided in the available references. Users should ensure they are running the latest version of Foxit Studio Photo as recommended by the vendor. As of August 2020, no workarounds were documented; the primary mitigation is to update the software to a patched version if available. This vulnerability is not listed on the known exploited vulnerabilities (KEV) catalog as of the publication date. [1]