CVE-2023-39505 - OpenCVE

PDF-XChange Editor Net.HTTP.requests Exposed Dangerous Function Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Net.HTTP.requests method. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to disclose information in the context of the current user. Was ZDI-CAN-20211.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://www.zerodayinitiative.com/advisories/ZDI-23-1143/

History

No history.

MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2024-05-03T02:11:04.524Z

Updated: 2024-08-02T18:10:21.130Z

Reserved: 2023-08-02T21:37:23.131Z

Link: CVE-2023-39505

Vulnrichment

Updated: 2024-08-02T18:10:21.130Z

NVD

Status : Awaiting Analysis

Published: 2024-05-03T03:15:18.620

Modified: 2024-05-03T12:50:12.213

Link: CVE-2023-39505

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-39505", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2023-08-02T21:37:23.131Z", "datePublished": "2024-05-03T02:11:04.524Z", "dateUpdated": "2024-08-02T18:10:21.130Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2024-05-03T02:11:04.524Z"}, "title": "PDF-XChange Editor Net.HTTP.requests Exposed Dangerous Function Information Disclosure Vulnerability", "descriptions": [{"lang": "en", "value": "PDF-XChange Editor Net.HTTP.requests Exposed Dangerous Function Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the Net.HTTP.requests method. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to disclose information in the context of the current user. Was ZDI-CAN-20211."}], "affected": [{"vendor": "PDF-XChange", "product": "PDF-XChange Editor", "versions": [{"version": "9.5.366.0", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-749", "description": "CWE-749: Exposed Dangerous Method or Function", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1143/", "name": "ZDI-23-1143", "tags": ["x_research-advisory"]}], "dateAssigned": "2023-08-02T16:44:31.672-05:00", "datePublic": "2023-08-17T14:05:42.983-05:00", "source": {"lang": "en", "value": "Andrea Micalizzi aka rgod"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-39505", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-15T18:02:19.455080Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:tracker-software:pdf-xchange_editor:9.5.366.0:*:*:*:*:*:*:*"], "vendor": "tracker-software", "product": "pdf-xchange_editor", "versions": [{"status": "affected", "version": "9.5.366.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:27:00.580Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:10:21.130Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1143/", "name": "ZDI-23-1143", "tags": ["x_research-advisory", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1143/", "name": "ZDI-23-1143", "tags": ["x_research-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:10:21.130Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-39505", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-15T18:02:19.455080Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:tracker-software:pdf-xchange_editor:9.5.366.0:*:*:*:*:*:*:*"], "vendor": "tracker-software", "product": "pdf-xchange_editor", "versions": [{"status": "affected", "version": "9.5.366.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-15T18:04:50.374Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "PDF-XChange Editor Net.HTTP.requests Exposed Dangerous Function Information Disclosure Vulnerability", "source": {"lang": "en", "value": "Andrea Micalizzi aka rgod"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "PDF-XChange", "product": "PDF-XChange Editor", "versions": [{"status": "affected", "version": "9.5.366.0"}], "defaultStatus": "unknown"}], "datePublic": "2023-08-17T14:05:42.983-05:00", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1143/", "name": "ZDI-23-1143", "tags": ["x_research-advisory"]}], "dateAssigned": "2023-08-02T16:44:31.672-05:00", "descriptions": [{"lang": "en", "value": "PDF-XChange Editor Net.HTTP.requests Exposed Dangerous Function Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the Net.HTTP.requests method. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to disclose information in the context of the current user. Was ZDI-CAN-20211."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-749", "description": "CWE-749: Exposed Dangerous Method or Function"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2024-05-03T02:11:04.524Z"}}}, "cveMetadata": {"cveId": "CVE-2023-39505", "state": "PUBLISHED", "dateUpdated": "2024-08-02T18:10:21.130Z", "dateReserved": "2023-08-02T21:37:23.131Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2024-05-03T02:11:04.524Z", "assignerShortName": "zdi"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "PDF-XChange Editor Net.HTTP.requests Exposed Dangerous Function Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the Net.HTTP.requests method. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to disclose information in the context of the current user. Was ZDI-CAN-20211."}, {"lang": "es", "value": "PDF-XChange Editor Net.HTTP.requests Vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n de funci\u00f3n peligrosa expuesta. Esta vulnerabilidad permite a atacantes remotos revelar informaci\u00f3n confidencial sobre las instalaciones afectadas de PDF-XChange Editor. Se requiere la interacci\u00f3n del usuario para aprovechar esta vulnerabilidad, ya que el objetivo debe visitar una p\u00e1gina maliciosa o abrir un archivo malicioso. La falla espec\u00edfica existe dentro del m\u00e9todo Net.HTTP.requests. El problema resulta de la exposici\u00f3n de una funci\u00f3n peligrosa. Un atacante puede aprovechar esta vulnerabilidad para revelar informaci\u00f3n en el contexto del usuario actual. Fue ZDI-CAN-20211."}], "id": "CVE-2023-39505", "lastModified": "2024-05-03T12:50:12.213", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2024-05-03T03:15:18.620", "references": [{"source": "zdi-disclosures@trendmicro.com", "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1143/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-749"}], "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}