Cory Duplantis and Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered multiple remote code execution vulnerabilities in various Aspose APIs. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs, Microsoft Word files and more. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious file to the target and trick them into opening it while using the corresponding API.
In accordance with Cisco's disclosure policy, Talos is disclosing these vulnerabilities after numerous unsuccessful attempts were made to contact Aspose to report these vulnerabilities.
Vulnerability details
Aspose Aspose.Cells LabelSst remote code execution vulnerability (TALOS-2019-0794/CVE-2019-5032) An exploitable out-of-bounds read vulnerability exists in the LabelSst record parser of Aspose Aspose.Cells 19.1.0 library. A specially crafted XLS file can cause an out-of-bounds read, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability. Read the complete vulnerability advisory here for additional information. Aspose Aspose.Cells number remote code execution vulnerability (TALOS-2019-0795/CVE-2019-5033) An exploitable out-of-bounds read vulnerability exists in the Number record parser of Aspose Aspose.Cells 19.1.0 library. A specially crafted XLS file can cause an out-of-bounds read, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability. Read the complete vulnerability advisory vulnerability spotlight multiple vulnerabilities aspose
