CVE-2020-28969

Vulnerability

PDF ShapingUp v5.0.0.139 contains a stack buffer overflow vulnerability in the handling of PDF files [1]. When the application opens a specially crafted PDF, a buffer overflow occurs, potentially allowing arbitrary code execution. The vulnerability is pre-authentication and requires low user interaction.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious PDF file and convincing a user to open it with PDF ShapingUp. No authentication is needed, and the attack can be performed remotely. Upon opening the file, the buffer overflow triggers, allowing the attacker to cause a denial of service or potentially execute arbitrary code.

Impact

Successful exploitation leads to a denial of service, and according to the advisory, may also allow remote code execution in the context of the application [1]. The impact is limited to the integrity and availability of the affected system, depending on the payload.

Mitigation

As of the latest available information, no official patch has been released for this vulnerability. Users should exercise caution when opening PDF files from untrusted sources and consider using alternative PDF editing software until a fix is available.