Title: Foxit Studio Photo ARW File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability Identifier: - ZDI-20-1345 - ZDI-CAN-11357 CVE ID: CVE-2020-17434 CVSS Score: 3.3, AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Affected Vendors: Foxit Affected Products: Studio Photo Vulnerability Details: - Allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo - The specific flaw exists within the parsing of ARW files - Lack of proper validation of user-supplied data results in a read past the end of an allocated structure - Can be leveraged with other vulnerabilities to execute code in the context of the current process Additional Details: - Foxit has issued an update to correct this vulnerability - Details: https://www.foxitsoftware.com/support/security-bulletins.html Disclosure Timeline: - 2020-06-24: Vulnerability reported to vendor - 2020-10-28: Coordinated public release of advisory Credit: Mat Powell of Trend Micro Zero Day Initiative