Vulnerability Management, Patch/Configuration Management

Account hijacking, data theft likely with Foxit, Apryse flaws

SecurityWeek reports that widely used PDF platforms Apryse and Foxit have been impacted by 16 vulnerabilities that could be leveraged to facilitate account takeovers and data theft.

Both the Apryse WebViewer and Foxit PDF cloud services had DOM-based cross-site scripting, stored and reflected XSS, server-side request forgery, path traversal, and OS command injection flaws, according to Novee researchers. Tests showed attackers could use crafted documents, messages, or URLs to run code, manipulate files or maintain persistent compromise, especially when viewers were embedded in authenticated applications. Some weaknesses required only a single request and targeted trusted domains commonly integrated into enterprise software.

"Several vulnerabilities were exploitable with a single request and affected trusted domains commonly embedded inside enterprise applications," the security firm said.

Both vendors said the problems were responsibly disclosed and fixed through updates and configuration changes. They noted working with researchers during remediation and strengthened security measures after receiving the report. The analysis was powered by specialized AI agents.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds