CVE-2020-8882

Vulnerability

This vulnerability exists in Foxit Studio Photo version 3.6.6.916. The flaw resides in the handling of PSD files; the issue results from the lack of proper initialization of a pointer before it is accessed. The vulnerability is reachable when the target user visits a malicious webpage or opens a malicious PSD file. Affected versions are Foxit Studio Photo 3.6.6.916 [1][2].

Exploitation

To exploit this vulnerability, an attacker must convince the target user to open a specially crafted PSD file or visit a malicious page that triggers the parsing of such a file. No other special network position or authentication is required beyond the user interaction. The attacker constructs a PSD file that causes the code to access an uninitialized pointer, leading to arbitrary code execution [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary code in the context of the current user process. This can result in full compromise of the affected system: disclosure of sensitive information, modification of data, or denial of service. The CVSS v3.0 score is 7.8 (High) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability [1][2].

Mitigation

Foxit has released security updates for related products, but the available references do not explicitly state a fixed version for Foxit Studio Photo 3.6.6.916. Users should check Foxit's security bulletins for updated versions. As of now, no specific patch is confirmed for this CVE in the provided references. It is recommended to use caution when opening PSD files from untrusted sources [1][2].