CVE-2018-18689

MEDIUM EPSS 88.3%
Published Jan 7, 20215y ago · Modified Jun 17, 20262w ago
5.3 CVSS 3.1
Medium
Find Similar
Published Jan 7, 2021 5y ago
Last Modified Jun 17, 2026 2w ago

Description

The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, a Signature Wrapping vulnerability exists in multiple products. An attacker can use /ByteRange and xref manipulations that are not detected by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects eXpert PDF 12 Ultimate, Expert PDF Reader, Nitro Pro, Nitro Reader, PDF Architect 6, PDF Editor 6 Pro, PDF Experte 9 Ultimate, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, PDF-XChange Editor and Viewer, Perfect PDF 10 Premium, Perfect PDF Reader, Soda PDF, and Soda PDF Desktop.

CVSS Details

Base Score
5.3
Exploitability
3.9
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
88.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-347

Affected Products 42

VendorProductVersionRange
avanquestexpert_pdf_ultimate12.0.20any
avanquestpdf_experte_ultimate9.0.270any
foxitsoftwarefoxit_reader9.1.0any
foxitsoftwarefoxit_reader9.2.0.9297any
foxitsoftwarefoxit_reader9.3.0.10826any
gonitronitro_pro11.0.3.173any
gonitronitro_reader5.5.9.2any
iskysoftpdf_editor_66.4.2.3521any
iskysoftpdfelement66.8.0.3523any
iskysoftpdfelement66.8.4.3921any
pdf-xchangepdf-xchange_editor7.0.237.1any
pdf-xchangepdf-xchange_editor7.0.326any
pdfforgepdf_architect6.0.37any
pdfforgepdf_architect6.1.24.1862any
qoppapdf_studio12.0.7any
qoppapdf_studio_viewer_20182018.0.1any
qoppapdf_studio_viewer_20182018.2.0any
sodapdfsoda_pdf9.3.17any
sodapdfsoda_pdf_desktop10.2.09any
sodapdfsoda_pdf_desktop10.2.16.1217any
soft-xpansionperfect_pdf_1010.0.0.1any
soft-xpansionperfect_pdf_reader13.0.3any
soft-xpansionperfect_pdf_reader13.1.5any
tracker-softwarepdf-xchange_viewer2.5any
visagesoftexpert_pdf_reader9.0.180any
microsoftwindows*any
foxitsoftwarefoxit_reader9.1.0any
foxitsoftwarefoxit_reader9.2.0any
iskysoftpdf_editor_66.6.2.3315any
iskysoftpdf_editor_66.7.6.3399any
iskysoftpdfelement66.7.1.3355any
iskysoftpdfelement66.7.6.3399any
qoppapdf_studio12.0.7any
qoppapdf_studio_viewer_20182018.0.1any
qoppapdf_studio_viewer_20182018.2.0any
applemacos*any
foxitsoftwarefoxit_reader9.1.0any
foxitsoftwarefoxit_reader9.2.0any
qoppapdf_studio12.0.7any
qoppapdf_studio_viewer_20182018.0.1any
qoppapdf_studio_viewer_20182018.2.0any
linuxlinux_kernel*any

References 4

  • pdf-insecurity.org https://pdf-insecurity.org/signature/evaluation_2018.html
    Third Party Advisory
  • pdf-insecurity.org https://pdf-insecurity.org/signature/signature.html
    Third Party Advisory
  • foxitsoftware.com https://www.foxitsoftware.com/support/security-bulletins.php
    Vendor Advisory
  • pdfa.org https://www.pdfa.org/recently-identified-pdf-digital-signature-vulnerabilities/
    Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.