The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, an Incremental Saving vulnerability exists in multiple products. When an attacker uses the Incremental Saving feature to add pages or annotations, Body Updates are displayed to the user without any action by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects LibreOffice, Master PDF Editor, Nitro Pro, Nitro Reader, Nuance Power PDF Standard, PDF Editor 6 Pro, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, Perfect PDF 10 Premium, and Perfect PDF Reader.
References
Link | Resource |
---|---|
https://pdf-insecurity.org/signature/evaluation_2018.html | Third Party Advisory |
https://pdf-insecurity.org/signature/signature.html | Third Party Advisory |
https://www.foxitsoftware.com/support/security-bulletins.php | Vendor Advisory |
https://www.pdfa.org/recently-identified-pdf-digital-signature-vulnerabilities/ | Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
History
14 Jan 2021, 18:35
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:code-industry:master_pdf_editor:5.1.24:*:*:*:*:*:*:* cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* cpe:2.3:a:soft-xpansion:perfect_pdf_10:10.0.0.1:*:*:*:premium:*:*:* cpe:2.3:a:iskysoft:pdf_editor_6:6.4.2.3521:*:*:*:professional:*:*:* cpe:2.3:a:qoppa:pdf_studio:12.0.7:*:*:*:professional:*:*:* cpe:2.3:a:iskysoft:pdfelement6:6.7.1.3355:*:*:*:professional:*:*:* cpe:2.3:a:nuance:power_pdf_standard:7.0:*:*:*:*:*:*:* cpe:2.3:a:iskysoft:pdf_editor_6:6.6.2.3315:*:*:*:professional:*:*:* cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* cpe:2.3:a:iskysoft:pdfelement6:6.7.6.3399:*:*:*:professional:*:*:* cpe:2.3:a:code-industry:master_pdf_editor:5.1.12:*:*:*:*:*:*:* cpe:2.3:a:nuance:power_pdf_standard:3.0.0.17:*:*:*:*:*:*:* cpe:2.3:a:code-industry:master_pdf_editor:5.1.68:*:*:*:*:*:*:* cpe:2.3:a:foxitsoftware:foxit_reader:9.2.0:*:*:*:*:*:*:* cpe:2.3:a:foxitsoftware:phantompdf:8.3.9:*:*:*:*:*:*:* cpe:2.3:a:gonitro:nitro_pro:11.0.3.173:*:*:*:*:*:*:* cpe:2.3:a:foxitsoftware:foxit_reader:9.1.0:*:*:*:*:*:*:* cpe:2.3:a:foxitsoftware:foxit_reader:9.4:*:*:*:*:*:*:* cpe:2.3:a:libreoffice:libreoffice:6.1.0.3:*:*:*:*:*:*:* cpe:2.3:a:iskysoft:pdfelement6:6.8.0.3523:*:*:*:professional:*:*:* cpe:2.3:a:libreoffice:libreoffice:6.0.6.2:*:*:*:*:*:*:* cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:* cpe:2.3:a:qoppa:pdf_studio_viewer_2018:2018.2.0:*:*:*:*:*:*:* cpe:2.3:a:gonitro:nitro_reader:5.5.9.2:*:*:*:*:*:*:* cpe:2.3:a:nuance:power_pdf_standard:3.0.0.30:*:*:*:*:*:*:* cpe:2.3:a:qoppa:pdf_studio_viewer_2018:2018.0.1:*:*:*:*:*:*:* cpe:2.3:a:soft-xpansion:perfect_pdf_reader:13.1.5:*:*:*:*:*:*:* cpe:2.3:a:iskysoft:pdfelement6:6.8.4.3921:*:*:*:professional:*:*:* cpe:2.3:a:foxitsoftware:phantompdf:*:*:*:*:*:*:*:* cpe:2.3:a:libreoffice:libreoffice:6.1.3.2:*:*:*:*:*:*:* cpe:2.3:a:iskysoft:pdf_editor_6:6.7.6.3399:*:*:*:professional:*:*:* cpe:2.3:a:soft-xpansion:perfect_pdf_reader:13.0.3:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : 5.0
v3 : 5.3 |
CWE | CWE-347 | |
References | (MISC) https://www.pdfa.org/recently-identified-pdf-digital-signature-vulnerabilities/ - Third Party Advisory | |
References | (MISC) https://pdf-insecurity.org/signature/signature.html - Third Party Advisory | |
References | (MISC) https://pdf-insecurity.org/signature/evaluation_2018.html - Third Party Advisory | |
References | (CONFIRM) https://www.foxitsoftware.com/support/security-bulletins.php - Vendor Advisory |
07 Jan 2021, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-01-07 18:15
Updated : 2023-12-10 13:41
NVD link : CVE-2018-18688
Mitre link : CVE-2018-18688
CVE.ORG link : CVE-2018-18688
JSON object : View
Products Affected
nuance
- power_pdf_standard
foxitsoftware
- phantompdf
- foxit_reader
iskysoft
- pdf_editor_6
- pdfelement6
qoppa
- pdf_studio_viewer_2018
- pdf_studio
apple
- macos
libreoffice
- libreoffice
linux
- linux_kernel
soft-xpansion
- perfect_pdf_10
- perfect_pdf_reader
gonitro
- nitro_pro
- nitro_reader
microsoft
- windows
code-industry
- master_pdf_editor
CWE
CWE-347
Improper Verification of Cryptographic Signature