CVE-2023-35985: 
Foxit PDF Reader vulnerability analysis and mitigation

An arbitrary file creation vulnerability (CVE-2023-35985) exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356. The vulnerability stems from a failure to properly validate dangerous extensions, allowing creation of files at arbitrary locations, which can lead to arbitrary code execution. An attacker needs to trick the user into opening a malicious file to trigger this vulnerability, or exploitation can occur if a user visits a specially-crafted malicious site when the browser plugin extension is enabled (Talos Report).

The vulnerability exists due to Foxit Reader's failure to check for directory traversal characters (../) before appending filenames to temporary directory paths. While the application checks file extensions against a blocklist of known suspicious file types, there is a specific validation issue where files with the extension 'hta' are not properly filtered, only 'hta ' (with a space) is blocked. This allows for the creation of HTML Application (HTA) files that can contain and execute arbitrary code (Talos Report). The vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (NVD).

The successful exploitation of this vulnerability could allow attackers to create files at arbitrary locations on the targeted system, ultimately leading to arbitrary code execution. Since HTA files represent HTML Applications and can contain arbitrary code, their execution could give attackers complete control over the affected system (Talos Report).

Foxit has released patches to address this vulnerability. The issue was disclosed to the vendor on August 28, 2023, and a patch was released on November 22, 2023 (Talos Report).

The vulnerability was part of a larger disclosure of multiple vulnerabilities in Foxit PDF Reader, which has drawn attention from the cybersecurity community due to the software's popularity as an alternative to Adobe Acrobat Reader (Security Online).