Significant security vulnerabilities have been uncovered in popular PDF platforms, posing a serious risk to enterprises globally. A total of 16 zero-day flaws, including critical OS Command Injection, DOM-based XSS, SSRF, and Path Traversal vulnerabilities, have been identified in Apryse WebViewer and Foxit PDF cloud services.
Details of the Discovered Vulnerabilities
The vulnerabilities were disclosed by Novee Security, which utilized a combination of AI and human expertise to identify these risks in widely used PDF platforms. The flawed systems affect millions of users, making it crucial for enterprises to address these security gaps immediately.
Both Apryse and Foxit were informed of these vulnerabilities under a responsible disclosure process, allowing them to release patches and mitigations before publicizing the issues.
Research Methodology and Vulnerability Impact
Apryse WebViewer’s architecture, which includes a React-based UI, a JavaScript/WebAssembly document engine, and a server-side SDK, was found to have significant trust boundary failures. These inadequacies in input validation were the root cause of the vulnerabilities.
Novee Security’s approach involved a blend of human intelligence and AI agents. The process included identifying vulnerability patterns and encoding these into agents designed to systematically explore and exploit these issues across the platform.
Particularly concerning is the Critical OS Command Injection vulnerability (CVSS 9.8) found in the Foxit PDF SDK for Web, allowing full remote code execution with a single POST request.
Specific Vulnerabilities and Recommendations
Among the vulnerabilities, an SSRF issue in Apryse WebViewer’s server-side iFrame rendering allows unauthorized content rendering, posing a network security risk. Apryse’s uiConfig parameter flaw also enables Critical DOM XSS through unsanitized JSON data.
Furthermore, a high-severity Path Traversal flaw in Foxit’s Collaboration Add-on permits unauthorized directory access. Multiple stored XSS vulnerabilities were also identified across Foxit’s platform.
Enterprises using Apryse WebViewer or Foxit PDF SDK for Web are urged to apply the available patches promptly. Additionally, conducting a thorough audit of their systems, particularly focusing on input validation protocols, is recommended to prevent exploitation of these vulnerabilities.
Implementing strict Content-Security-Policy and postMessage origin validation is also advised to enhance security across PDF components.
Stay updated with the latest cybersecurity developments by following us on Google News, LinkedIn, and X.
