uTools PDF Preview Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in the uTools desktop application for Windows, affecting versions through 7.1.1. The issue arises in the PDF preview feature, where the application fails to properly validate font types in embedded PDF files. This oversight allows malicious JavaScript to execute within the application's privileged context, potentially leading to unauthorized actions or data theft.

Impact

Exploitation of this vulnerability allows for the execution of embedded JavaScript in the context of the uTools application, which could result in the theft of sensitive information stored within uTools, such as notes, passwords, and scripts. Additionally, it could enable unauthorized system actions or serve as a stepping stone for further attacks.

Reproduction

To reproduce this vulnerability, save a malicious PDF file containing embedded JavaScript into the local file system. Then, open uTools version 7.2.1 or earlier and use the 'File Search' feature to locate the saved PDF. Click on the file to trigger the preview, which will execute the embedded JavaScript, such as an alert box, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to temporarily disable the file preview feature in uTools settings.