CVE-2023-27363
Published: 03 May 2024
Summary
CVE-2023-27363 is a high-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Foxit Pdf Editor. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-27363 is a remote code execution vulnerability in Foxit PDF Reader that stems from the exportXFAData method exposing a JavaScript interface capable of writing arbitrary files. The flaw, tracked as ZDI-CAN-19697 and assigned CWE-749, affects installations of the PDF reader and carries a CVSS 3.0 score of 7.8.
An attacker can exploit the issue by convincing a target to open a malicious PDF or visit a malicious page, after which arbitrary code executes in the context of the current user. No special privileges are required beyond the user interaction needed to trigger the file or page.
Public advisories from Foxit and the Zero Day Initiative are available at the referenced URLs and address the vulnerability through security bulletins.
The EPSS score has reached a current value of 0.7947 with a recorded peak of 0.8213, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-31139
Vulnerability details
Foxit PDF Reader exportXFAData Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must…
more
visit a malicious page or open a malicious file. The specific flaw exists within the exportXFAData method. The application exposes a JavaScript interface that allows writing arbitrary files. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-19697.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.