CVE-2019-6754

HIGH Year: 2019
CVSS v3 Score
7.3
High
CVSS v2 Score
6.8
Medium
Weakness Type
CWE-22
View all →

Vulnerability Description

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.3.10826. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the localFileStorage method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7407.

Related Vulnerabilities

CVE-2016-10037

HIGH
CVSS:7.3(High)

Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted id (aka dir) parameter, rel...

CWE-222016

CVE-2016-10038

HIGH
CVSS:7.3(High)

Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted dir parameter, related to b...

CWE-222016

CVE-2016-10039

HIGH
CVSS:7.3(High)

Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted dir parameter, related to b...

CWE-222016

CVE-2017-7358

HIGH
CVSS:7.3(High)

In LightDM through 1.22.0, a directory traversal issue in debian/guest-account.sh allows local attackers to own arbitrary directory path locations and escalate privileges to root when the guest user l...

CWE-222017

CVE-2019-3696

HIGH
CVSS:7.3(High)

A Improper Limitation of a Pathname to a Restricted Directory vulnerability in the packaging of pcp of SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise High Performance...

CWE-222019

CVE-2019-7227

HIGH
CVSS:7.3(High)

In the ABB IDAL FTP server, an authenticated attacker can traverse to arbitrary directories on the hard disk with "CWD ../" and then use the FTP server functionality to download and upload files. An u...

CWE-222019