CVE-2020-18972

Name	CVE-2020-18972
Description	Exposure of Sensitive Information to an Unauthorized Actor in PoDoFo v0.9.6 allows attackers to obtain sensitive information via 'IsNextToken' in the component 'src/base/PdfToenizer.cpp'.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libpodofo (PTS)	buster	0.9.6+dfsg-5	vulnerable
	bullseye	0.9.7+dfsg-2	vulnerable
	bookworm, sid	0.9.8+dfsg-3	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libpodofo	source	(unstable)	(unfixed)	unimportant

https://sourceforge.net/p/podofo/tickets/49/
Negligible security impact