CVE-2024-11507: 
IrfanView vulnerability analysis and mitigation

A type confusion vulnerability (CVE-2024-11507) was discovered in IrfanView's DXF file parsing functionality. The vulnerability was reported on November 17, 2023, and publicly disclosed on November 21, 2024. This flaw affects IrfanView installations up to version 4.62 and requires user interaction to exploit (ZDI Advisory).

The vulnerability exists within the parsing of DXF files and stems from improper validation of user-supplied data, resulting in a type confusion condition. The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-843 (Access of Resource Using Incompatible Type) (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The high CVSS score indicates potential severe impacts on system confidentiality, integrity, and availability (ZDI Advisory).

The vulnerability has been fixed in IrfanView version 4.70 with plugins version 4.70. Users are advised to upgrade to this version or later to mitigate the risk (ZDI Advisory).