CVE-2018-14320 log

Source
Severity Medium
Remote No
Type Arbitrary code execution
Description
This vulnerability in PoDoFo 0.9.6 allows remote attackers to disclose sensitive information on vulnerable installations of PoDoFo. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within PdfEncoding::ParseToUnicode. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. The issue is fixed in PoDoFo version 0.9.7.
Group Package Affected Fixed Severity Status Ticket
AVG-867 podofo 0.9.6-3 0.9.7-1 Medium Fixed FS#61651
Date Advisory Group Package Severity Type
20 Jan 2021 ASA-202101-36 AVG-867 podofo Medium multiple issues
References
https://zerodayinitiative.com/advisories/ZDI-18-1046
https://sourceforge.net/p/podofo/code/1953/