CVE-2019-13334: 
Foxit PDF Reader vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2019-13334) was discovered in Foxit PhantomPDF version 9.5.0.20723. The vulnerability exists within the conversion of DXF files to PDF functionality, where improper validation of user-supplied data can result in a write past the end of an allocated structure. This vulnerability was reported to Foxit on May 29, 2019, and was publicly disclosed on October 4, 2019 (ZDI Advisory).

The vulnerability is caused by a lack of proper validation of user-supplied data during DXF file conversion to PDF, which can result in an out-of-bounds write condition. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The flaw is classified as CWE-787 (Out-of-bounds Write) and CWE-822 (Untrusted Pointer Dereference) (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The attack requires user interaction, specifically the target must visit a malicious page or open a malicious file (ZDI Advisory).

The plugin Dwg2Pdf, which contains this vulnerability, has reached End of Life and will not be included in Foxit Reader version 9.7 and higher. Users should upgrade to newer versions of the software that do not include the vulnerable component (ZDI Advisory).