Login Sign Up

CVE-2021-38574

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows SQL injection attacks in Foxit Reader and PhantomPDF through crafted data appended to strings. Attackers can execute arbitrary SQL commands, potentially compromising data integrity and confidentiality. All users of affected versions are at risk.

💻 Affected Systems

Products:
  • Foxit Reader
  • Foxit PhantomPDF
Versions: All versions before 10.1.4
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all default installations of vulnerable versions. No special configuration required for exploitation.

📦 What is this software?

Foxit Reader by Foxitsoftware

View all CVEs affecting Foxit Reader →

Phantompdf by Foxitsoftware

View all CVEs affecting Phantompdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via SQL injection leading to data exfiltration, privilege escalation, or remote code execution.

🟠

Likely Case

Data manipulation or extraction from SQL databases used by Foxit applications, potentially exposing sensitive document information.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, though SQL injection attempts may still cause denial of service.

🌐 Internet-Facing: MEDIUM - Requires user interaction with malicious documents, but documents can be distributed via email or web.
🏢 Internal Only: HIGH - Internal users opening malicious documents could compromise internal databases and systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user to open a malicious PDF document. SQL injection payloads can be embedded in document data.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1.4 and later

Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php

Restart Required: Yes

Instructions:

1. Download Foxit Reader/PhantomPDF 10.1.4 or later from official website. 2. Run installer. 3. Restart system after installation completes.

🔧 Temporary Workarounds

Disable JavaScript in Foxit

all

Prevents JavaScript-based exploitation vectors that might deliver SQL injection payloads

Open Foxit > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use alternative PDF reader

all

Temporarily switch to non-vulnerable PDF software until patching

🧯 If You Can't Patch

  • Restrict PDF file opening to trusted sources only
  • Implement application whitelisting to block Foxit Reader/PhantomPDF execution

🔍 How to Verify

Check if Vulnerable:

Open Foxit Reader/PhantomPDF > Help > About. Check if version is below 10.1.4.

Check Version:

On Windows: wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Confirm version is 10.1.4 or higher in Help > About dialog.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries from Foxit processes
  • Multiple failed SQL connection attempts
  • Large data transfers from Foxit to external IPs

Network Indicators:

  • Outbound SQL connections from user workstations
  • Unexpected database traffic patterns

SIEM Query:

process_name="FoxitReader.exe" AND (event_id=4688 OR destination_port=1433 OR destination_port=3306)

📊 Metadata

CVE ID: CVE-2021-38574
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: August 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38574, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)