CVE-2018-18688

MEDIUM EPSS 62.4%
Published Jan 7, 20215y ago · Modified Jun 17, 20262w ago
5.3 CVSS 3.1
Medium
Find Similar
Published Jan 7, 2021 5y ago
Last Modified Jun 17, 2026 2w ago

Description

The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, an Incremental Saving vulnerability exists in multiple products. When an attacker uses the Incremental Saving feature to add pages or annotations, Body Updates are displayed to the user without any action by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects LibreOffice, Master PDF Editor, Nitro Pro, Nitro Reader, Nuance Power PDF Standard, PDF Editor 6 Pro, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, Perfect PDF 10 Premium, and Perfect PDF Reader.

CVSS Details

Base Score
5.3
Exploitability
3.9
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
62.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-347

Affected Products 46

VendorProductVersionRange
code-industrymaster_pdf_editor5.1.12any
code-industrymaster_pdf_editor5.1.68any
foxitsoftwarefoxit_reader9.4any
foxitsoftwarephantompdf*≥9.0  –  <9.4
foxitsoftwarephantompdf8.3.9any
gonitronitro_pro11.0.3.173any
gonitronitro_reader5.5.9.2any
iskysoftpdf_editor_66.4.2.3521any
iskysoftpdfelement66.8.0.3523any
iskysoftpdfelement66.8.4.3921any
libreofficelibreoffice6.0.6.2any
libreofficelibreoffice6.1.3.2any
nuancepower_pdf_standard3.0.0.17any
nuancepower_pdf_standard3.0.0.30any
nuancepower_pdf_standard7.0any
qoppapdf_studio12.0.7any
qoppapdf_studio_viewer_20182018.0.1any
qoppapdf_studio_viewer_20182018.2.0any
soft-xpansionperfect_pdf_1010.0.0.1any
soft-xpansionperfect_pdf_reader13.0.3any
soft-xpansionperfect_pdf_reader13.1.5any
microsoftwindows*any
code-industrymaster_pdf_editor5.1.12any
code-industrymaster_pdf_editor5.1.68any
foxitsoftwarefoxit_reader9.1.0any
foxitsoftwarefoxit_reader9.2.0any
libreofficelibreoffice6.0.6.2any
libreofficelibreoffice6.1.3.2any
qoppapdf_studio12.0.7any
qoppapdf_studio_viewer_20182018.0.1any
qoppapdf_studio_viewer_20182018.2.0any
linuxlinux_kernel*any
code-industrymaster_pdf_editor5.1.24any
code-industrymaster_pdf_editor5.1.68any
foxitsoftwarefoxit_reader9.1.0any
foxitsoftwarefoxit_reader9.2.0any
iskysoftpdf_editor_66.6.2.3315any
iskysoftpdf_editor_66.7.6.3399any
iskysoftpdfelement66.7.1.3355any
iskysoftpdfelement66.7.6.3399any
libreofficelibreoffice6.1.0.3any
libreofficelibreoffice6.1.3.2any
qoppapdf_studio12.0.7any
qoppapdf_studio_viewer_20182018.0.1any
qoppapdf_studio_viewer_20182018.2.0any
applemacos*any

References 4

  • pdf-insecurity.org https://pdf-insecurity.org/signature/evaluation_2018.html
    Third Party Advisory
  • pdf-insecurity.org https://pdf-insecurity.org/signature/signature.html
    Third Party Advisory
  • foxitsoftware.com https://www.foxitsoftware.com/support/security-bulletins.php
    Vendor Advisory
  • pdfa.org https://www.pdfa.org/recently-identified-pdf-digital-signature-vulnerabilities/
    Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.