MidnightBSD

Advisories for qoppa

CVE-2018-18688 MEDIUM

The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, an Incremental Saving vulnerability exists in multiple products. When an attacker uses the Incremental Saving feature to add pages or annotations, Body Updates are displayed to the user without any action by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects LibreOffice, Master PDF Editor, Nitro Pro, Nitro Reader, Nuance Power PDF Standard, PDF Editor 6 Pro, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, Perfect PDF 10 Premium, and Perfect PDF Reader.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-347,

Products Affected

Vendor Product Version
nuance power_pdf_standard 3.0.0.17
foxitsoftware phantompdf 8.3.9
code-industry master_pdf_editor 5.1.24
iskysoft pdf_editor_6 6.4.2.3521
nuance power_pdf_standard 7.0
code-industry master_pdf_editor 5.1.68
libreoffice libreoffice 6.0.6.2
foxitsoftware foxit_reader 9.4
nuance power_pdf_standard 3.0.0.30
qoppa pdf_studio_viewer_2018 2018.2.0
qoppa pdf_studio 12.0.7
gonitro nitro_pro 11.0.3.173
soft-xpansion perfect_pdf_10 10.0.0.1
iskysoft pdfelement6 6.7.6.3399
iskysoft pdf_editor_6 6.6.2.3315
soft-xpansion perfect_pdf_reader 13.1.5
iskysoft pdfelement6 6.8.0.3523
libreoffice libreoffice 6.1.3.2
qoppa pdf_studio_viewer_2018 2018.0.1
foxitsoftware foxit_reader 9.2.0
foxitsoftware phantompdf *
gonitro nitro_reader 5.5.9.2
iskysoft pdf_editor_6 6.7.6.3399
foxitsoftware foxit_reader 9.1.0
iskysoft pdfelement6 6.7.1.3355
libreoffice libreoffice 6.1.0.3
code-industry master_pdf_editor 5.1.12
soft-xpansion perfect_pdf_reader 13.0.3
iskysoft pdfelement6 6.8.4.3921
CVE-2018-18689 MEDIUM

The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, a Signature Wrapping vulnerability exists in multiple products. An attacker can use /ByteRange and xref manipulations that are not detected by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects eXpert PDF 12 Ultimate, Expert PDF Reader, Nitro Pro, Nitro Reader, PDF Architect 6, PDF Editor 6 Pro, PDF Experte 9 Ultimate, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, PDF-XChange Editor and Viewer, Perfect PDF 10 Premium, Perfect PDF Reader, Soda PDF, and Soda PDF Desktop.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-347,

Products Affected

Vendor Product Version
foxitsoftware foxit_reader 9.3.0.10826
tracker-software pdf-xchange_viewer 2.5
iskysoft pdf_editor_6 6.4.2.3521
visagesoft expert_pdf_reader 9.0.180
avanquest pdf_experte_ultimate 9.0.270
qoppa pdf_studio_viewer_2018 2018.2.0
qoppa pdf_studio 12.0.7
gonitro nitro_pro 11.0.3.173
foxitsoftware foxit_reader 9.2.0.9297
pdfforge pdf_architect 6.1.24.1862
soft-xpansion perfect_pdf_10 10.0.0.1
sodapdf soda_pdf 9.3.17
iskysoft pdfelement6 6.7.6.3399
iskysoft pdf_editor_6 6.6.2.3315
soft-xpansion perfect_pdf_reader 13.1.5
pdfforge pdf_architect 6.0.37
iskysoft pdfelement6 6.8.0.3523
pdf-xchange pdf-xchange_editor 7.0.237.1
pdf-xchange pdf-xchange_editor 7.0.326
qoppa pdf_studio_viewer_2018 2018.0.1
foxitsoftware foxit_reader 9.2.0
gonitro nitro_reader 5.5.9.2
sodapdf soda_pdf_desktop 10.2.09
iskysoft pdf_editor_6 6.7.6.3399
foxitsoftware foxit_reader 9.1.0
iskysoft pdfelement6 6.7.1.3355
sodapdf soda_pdf_desktop 10.2.16.1217
soft-xpansion perfect_pdf_reader 13.0.3
avanquest expert_pdf_ultimate 12.0.20
iskysoft pdfelement6 6.8.4.3921