Foxit Software released security updates for its PDF Reader and PDF Editor applications, to address multiple vulnerabilities, including some leading to remote code execution.

Three of the vulnerabilities addressed by Foxit were identified by Cisco Talos researchers, all three leading to arbitrary code execution.

Tracked as CVE-2021-21831, CVE-2021-21870, and CVE-2021-21893, the bugs carry CVSS severity score of 8.8.

These flaws are use-after-free vulnerabilities in the JavaScript engine of PDF Reader that an attacker could exploit by tricking the target into opening a malicious PDF file. The vulnerabilities could also be exploited via a malicious website, provided that the victim has Foxit’s browser plugin enabled, according to a Cisco Talos advisory.

More information on vulnerabilities and updates is available in Foxit security advisory – foxit.com.

Source: securityweek.com