CVE-2020-24432

05.11.2020, 20:15

Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) and Adobe Acrobat Pro DC 2017.011.30175 (and earlier) are affected by an improper input validation vulnerability that could result in arbitrary JavaScript execution in the context of the current user. To exploit this issue, an attacker must acquire and then modify a certified PDF document that is trusted by the victim. The attacker then needs to convince the victim to open the document.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
adobe	CNA	6.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 88%

Vendor	Product	Version
adobe	acrobat	𝑥 ≤ 20.001.30005
adobe	acrobat_dc	𝑥 ≤ 17.011.30175
adobe	acrobat_dc	𝑥 ≤ 20.012.20048
adobe	acrobat_reader	𝑥 ≤ 20.001.30005
adobe	acrobat_reader_dc	𝑥 ≤ 17.011.30175
adobe	acrobat_reader_dc	𝑥 ≤ 20.012.20048

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://helpx.adobe.com/security/products/acrobat/apsb20-67.html