Researchers at Novee discovered 16 vulnerabilities in Apryse WebViewer and Foxit PDF cloud services that could enable account takeover, data exfiltration, arbitrary code execution, and persistent compromise. Both vendors were responsibly notified and have released patches addressing issues such as XSS, SSRF, path traversal, and OS command injection. #Apryse #Foxit
Keypoints
- Novee identified 16 vulnerabilities across Apryse and Foxit PDF platforms.
- Flaws included DOM XSS, stored and reflected XSS, SSRF, path traversal, and OS command injection.
- Apryse had one critical and two high-severity issues; Foxit had two high-severity and 11 medium-severity issues.
- Exploits could be delivered via crafted documents, URLs, or messages to achieve account takeover, data exfiltration, or persistent compromise.
- Both vendors were notified through responsible disclosure and have issued patches and mitigations.