CVE-2024-8828: 
PDF-XChange Editor vulnerability analysis and mitigation

PDF-XChange Editor contains an out-of-bounds read vulnerability in the EMF file parsing functionality. The vulnerability, identified as CVE-2024-8828, was discovered by Rocco Calvi (@TecR0c) with TecSecurity and affects PDF-XChange Editor version 10.3.0.386 and earlier. The issue was reported to the vendor on June 6, 2024, and was publicly disclosed on September 17, 2024 (ZDI Advisory).

The vulnerability stems from improper validation of user-supplied data during the parsing of EMF files, which can result in a read past the end of an allocated object. The issue has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) by NIST with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, while Zero Day Initiative rates it at 3.3 (LOW) with vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-125 (Out-of-bounds Read) (NVD).

This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. The impact is limited to information disclosure, but an attacker could potentially leverage this vulnerability in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process (ZDI Advisory).

The vulnerability has been fixed in PDF-XChange Editor version 10.3.1.387. Users are advised to upgrade to this version or later to mitigate the vulnerability (ZDI Advisory).