CVE-2023-24308: 
PDF-XChange Editor vulnerability analysis and mitigation

A potential memory vulnerability (CVE-2023-24308) was discovered in PDFXEditCore.x64.dll in PDF-XChange Editor version 9.3 by Tracker Software. The vulnerability was disclosed on March 28, 2023, and affects the PDF-XChange Editor application when handling large numbers of objects in PDF files (NVD, Fraunhofer SIT).

The vulnerability stems from insufficient input validation in the PDFXEditCore.x64.dll component when processing PDF files containing a large number of objects. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates local access is required, low attack complexity, no privileges required, and user interaction is needed (NVD).

If successfully exploited, this vulnerability could allow attackers to execute arbitrary code on the affected system when a user opens a specially crafted PDF file. The high CVSS score indicates potential severe impacts on system confidentiality, integrity, and availability (NVD).

A solution has been released in the form of EditorV10.x86_10.1.3.383.msi update (ManageEngine). Users are advised to update their PDF-XChange Editor installations to the latest version to protect against this vulnerability.

The vulnerability was discovered by Philip Kolvenbach of Fraunhofer SIT, with research funded in part by the German Federal Ministry of Education and Research and the Hessian Ministry of Higher Education, Research, Science and the Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE (Fraunhofer SIT).