Aleksandar Nikolic and Cory Duplantis of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered two code execution vulnerabilities and an information disclosure flaw in Nitro Pro PDF reader. Nitro PDF allows users to save, read, sign and edit PDFs on their
computers. The software contains vulnerabilities that could allow adversaries to carry out a variety of actions.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Nitro PDF to ensure that these issues are resolved and that an update is available for affected customers.
Vulnerability details
Nitro PRO PDF nested pages remote code execution vulnerability (TALOS-2020-0997/CVE-2020-6074)
An exploitable code execution vulnerability exists in the PDF parser of Nitro Pro 13.9.1.155. A specially crafted PDF document can cause a use-after-free which can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.
Read the complete vulnerability advisory here for additional information.
Nitro Pro PDF pattern object code execution vulnerability (TALOS-2020-1013/CVE-2020-6092)
An exploitable code execution vulnerability exists in the way Nitro Pro 13.9.1.155 parses Pattern objects. A specially crafted PDF file can trigger an integer overflow that can lead to arbitrary code execution. A victim must open a malicious file to trigger this vulnerability
Read the complete vulnerability advisory
Support the originator by clicking the read the rest link below.
