Title: Foxit Reader mailDoc Type Confusion Remote Code Execution Vulnerability IDs: - ZDI-18-737 - ZDI-CAN-6059 CVE ID: CVE-2018-14277 CVSS Score: 6.8 Affected Vendors: Foxit Affected Products: Reader Vulnerability Details: The vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. It requires user interaction to visit a malicious page or open a malicious file. The flaw exists within the mailDoc method, where performing actions in JavaScript can trigger a type confusion condition, allowing the execution of code under the current process context. Additional Details: Foxit has issued an update to correct this vulnerability. More details are available at https://www.foxitsoftware.com/support/security-bulletins.php. Disclosure Timeline: - 2018-04-05: Vulnerability reported to vendor - 2018-07-19: Coordinated public release of advisory - 2018-07-19: Advisory updated Credit: TrendyTofu - Trend Micro Zero Day Initiative