Vulnerability Details: - CVE ID: CVE-2017-10951 - CVSS Score: 6.8, AV:N/AC:M/Au:N/C:P/I:P/A:P - Affected Vendors: Foxit - Affected Products: Reader - Vulnerability Overview: This flaw within app.launchURL method in Foxit Reader allows for remote code execution due to improper validation of user-supplied strings before executing a system call. - Mitigation: The only effective mitigation strategy is to restrict interaction with the application to trusted files. Foxit Reader & PhantomPDF’s Safe Reading Mode, enabled by default, controls JavaScript execution, which can guard against this vulnerability. Disclosure Timeline: - Vulnerability reported to vendor on 2017-05-18. - Coordinated public release of advisory on 2017-08-17. Credit to: Ariele Caltabiano (kimiya)