Vulnerabilities in Nitro Pro PDF editor can expose top firms data by hackers
Nitro’s PDF editor gives you full creative license with the ability to add, delete, and edit text and images within any PDF. Copy and paste the text into Word and Office files, or insert, extract, and rotate pages to further edit your PDF document.
Security researchers have found two vulnerabilities in Nitro Pro PDF editor could be exploited by malicious actors to execute code remotely on affected hosts. Both RCE featuring a CVSS score of 8.8.
The first flaw is tracked as CVE-2020-6074 which resides in the PDF parser of Nitro Pro. An attacker looking to exploit the bug needs to provide the victim with a specially crafted PDF to trigger a use-after-free and achieve code execution.
The second flaw is tracked as CVE-2020-6092 which resides in the manner in which Nitro Pro parses Pattern objects. An attacker needs to craft a PDF file and lure the victim into opening it to trigger an integer overflow and then achieve remote code execution.
In addition, the researchers also found information disclosed vulnerability which resides in the way Nitro Pro does XML error handling and tracked as CVE-2020-6093 with carrying a CVSS score of 6.5.
To execute these flaws the attacker needs to send a specially crafted PDF document to the target source which needs to be opened by the target to expose the information present on the device.
The flaws were present in the Nitro Pro editor version 220.127.116.11 and reported in February. The company launched an update earlier in May fixing the vulnerability. However to avoid the flaws users need to update the Nitro Pro editor to the latest version.