CVE-2019-17136: 
Foxit PDF Reader vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2019-17136) was discovered in Foxit PhantomPDF version 9.5.0.20723. The vulnerability exists within the conversion of DXF files to PDF functionality, specifically in the Dwg2Pdf plugin. The issue was reported to Foxit on May 29, 2019, and was publicly disclosed on October 4, 2019 (ZDI Advisory).

The vulnerability stems from the lack of proper validation of user-supplied data during DXF file conversion to PDF, which can result in a read past the end of an allocated structure. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The flaw is classified as CWE-125 (Out-of-bounds Read) (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The attack requires user interaction, specifically that the target must visit a malicious page or open a malicious file (ZDI Advisory).

The Dwg2Pdf plugin, which contains this vulnerability, has been marked as End of Life and will not be included in Foxit Reader version 9.7 and higher (ZDI Advisory).