=====================================================================

                           CERT-Renater

               Note d'Information No. 2014/VULN136
_____________________________________________________________________

DATE                : 02/07/2014

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Foxit versions prior to 6.2.1,
                     Foxit Enterprise Reader  versions prior to 6.2.1,
                     Foxit PhantomPDF  versions prior to 6.2.1.

======================================================================
http://www.foxitsoftware.com/support/security_bulletins.php#FRD-21
______________________________________________________________________

Fixed a security issue caused by the Stored XSS vulnerability when
reading and displaying filenames and their paths on the “Recent
Documents” section from the Start Page.

SUMMARY
Foxit Reader 6.2.1, Foxit Enterprise Reader 6.2.1, and Foxit PhantomPDF
6.2.1 fixed a security issue caused by the Stored XSS vulnerability
when reading and displaying filenames and their paths on the “Recent
Documents” section from the Start Page. Attackers could tamper with the
registry entry and cause the application to load malicious files.


Affected Versions
Foxit Reader 6.2.0.0429 and earlier
Foxit Enterprise Reader 6.2.0.0429 and earlier
Foxit PhantomPDF 6.2.0.0429 and earlier


Fixed in Version
Foxit Reader 6.2.1
Foxit Enterprise Reader 6.2.1
Foxit PhantomPDF 6.2.1


SOLUTION
Please do one of the followings:

    Please go to “Check for Update” from the “Help” menu of Foxit
Reader, Foxit Enterprise Reader, or Foxit PhantomPDF to update to the
latest version of Foxit Reader 6.2.1, Foxit Enterprise Reader 6.2.1, or
Foxit PhantomPDF 6.2.1.

    Click here to download the updated version of Foxit Reader.
    Click here to download the updated version of Foxit Enterprise Reader.
    Click here to download the updated version of Foxit PhantomPDF.

SECURITY PROCESS
2014-05-24: Bernardo Rodrigues found the issue;
2014-06-03: Core Security Technologies confirmed the issue;
2014-06-11: Foxit fixed the issue;
2014-07-01: Foxit released fixed version of Foxit Reader 6.2.1/Foxit
Enterprise Reader 6.2.1/Foxit PhantomPDF 6.2.1.

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================