CVE-2018-18688

The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, an Incremental Saving vulnerability exists in multiple products. When an attacker uses the Incremental Saving feature to add pages or annotations, Body Updates are displayed to the user without any action by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects LibreOffice, Master PDF Editor, Nitro Pro, Nitro Reader, Nuance Power PDF Standard, PDF Editor 6 Pro, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, Perfect PDF 10 Premium, and Perfect PDF Reader.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
VendorProductVersion
code-industrymaster_pdf_editor
5.1.12
code-industrymaster_pdf_editor
5.1.68
foxitsoftwarefoxit_reader
9.4
foxitsoftwarephantompdf
9.0 ≤
𝑥
< 9.4
foxitsoftwarephantompdf
8.3.9
gonitronitro_pro
11.0.3.173
gonitronitro_reader
5.5.9.2
iskysoftpdf_editor_6
6.4.2.3521
iskysoftpdfelement6
6.8.0.3523
iskysoftpdfelement6
6.8.4.3921
libreofficelibreoffice
6.0.6.2
libreofficelibreoffice
6.1.3.2
nuancepower_pdf_standard
3.0.0.17
nuancepower_pdf_standard
3.0.0.30
nuancepower_pdf_standard
7.0
qoppapdf_studio
12.0.7
qoppapdf_studio_viewer_2018
2018.0.1
qoppapdf_studio_viewer_2018
2018.2.0
soft-xpansionperfect_pdf_10
10.0.0.1
soft-xpansionperfect_pdf_reader
13.0.3
soft-xpansionperfect_pdf_reader
13.1.5
code-industrymaster_pdf_editor
5.1.12
code-industrymaster_pdf_editor
5.1.68
foxitsoftwarefoxit_reader
9.1.0
foxitsoftwarefoxit_reader
9.2.0
libreofficelibreoffice
6.0.6.2
libreofficelibreoffice
6.1.3.2
qoppapdf_studio
12.0.7
qoppapdf_studio_viewer_2018
2018.0.1
qoppapdf_studio_viewer_2018
2018.2.0
code-industrymaster_pdf_editor
5.1.24
code-industrymaster_pdf_editor
5.1.68
foxitsoftwarefoxit_reader
9.1.0
foxitsoftwarefoxit_reader
9.2.0
iskysoftpdf_editor_6
6.6.2.3315
iskysoftpdf_editor_6
6.7.6.3399
iskysoftpdfelement6
6.7.1.3355
iskysoftpdfelement6
6.7.6.3399
libreofficelibreoffice
6.1.0.3
libreofficelibreoffice
6.1.3.2
qoppapdf_studio
12.0.7
qoppapdf_studio_viewer_2018
2018.0.1
qoppapdf_studio_viewer_2018
2018.2.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://pdf-insecurity.org/signature/evaluation_2018.html
https://pdf-insecurity.org/signature/signature.html
https://www.foxitsoftware.com/support/security-bulletins.php
https://www.pdfa.org/recently-identified-pdf-digital-signature-vulnerabilities/
https://pdf-insecurity.org/signature/evaluation_2018.html
https://pdf-insecurity.org/signature/signature.html
https://www.foxitsoftware.com/support/security-bulletins.php
https://www.pdfa.org/recently-identified-pdf-digital-signature-vulnerabilities/