CVE-2022-37350: 
PDF-XChange Editor vulnerability analysis and mitigation

CVE-2022-37350 is a vulnerability in PDF-XChange Editor that allows remote attackers to execute arbitrary code. The vulnerability requires user interaction, specifically that the target must visit a malicious page or open a malicious file. The vulnerability was discovered by Suyue Guo and Wei You from Renmin University of China and was reported to the vendor on May 16, 2022, with public disclosure on August 18, 2022 (Zero Day Initiative).

The vulnerability exists within the handling of Collab objects in PDF-XChange Editor version 9.3.361.0. By performing actions in JavaScript, an attacker can trigger a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

An attacker can leverage this vulnerability to execute code in the context of the current process, potentially gaining control over the affected system. The vulnerability affects the confidentiality, integrity, and availability of the system, as indicated by the CVSS scoring (Zero Day Initiative).

PDF-XChange has issued an update to correct this vulnerability. Users should update to the latest version of the software available through the vendor's website (Tracker Software).