Vulnerability Details CVE-2022-28368
Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.58
EPSS Ranking 98.1%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://packetstormsecurity.com/files/171738/Dompdf-1.2.1-Remote-Code-Execution.html
- https://github.com/dompdf/dompdf/commit/4c70e1025bcd9b7694b95dd552499bd83cd6141d
- https://github.com/dompdf/dompdf/issues/2598
- https://github.com/dompdf/dompdf/pull/2808
- https://github.com/snyk-labs/php-goof
- https://packagist.org/packages/dompdf/dompdf#v1.2.1
- https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce/
- http://packetstormsecurity.com/files/171738/Dompdf-1.2.1-Remote-Code-Execution.html
- https://github.com/dompdf/dompdf/commit/4c70e1025bcd9b7694b95dd552499bd83cd6141d
- https://github.com/dompdf/dompdf/issues/2598
- https://github.com/dompdf/dompdf/pull/2808
- https://github.com/snyk-labs/php-goof
- https://packagist.org/packages/dompdf/dompdf#v1.2.1
- https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce/
Products affected by CVE-2022-28368
-
cpe:2.3:a:dompdf_project:dompdf:-
-
cpe:2.3:a:dompdf_project:dompdf:0.5.2
-
cpe:2.3:a:dompdf_project:dompdf:0.6.0
-
cpe:2.3:a:dompdf_project:dompdf:0.6.1
-
cpe:2.3:a:dompdf_project:dompdf:0.6.2
-
cpe:2.3:a:dompdf_project:dompdf:0.7.0
-
cpe:2.3:a:dompdf_project:dompdf:0.8.0
-
cpe:2.3:a:dompdf_project:dompdf:0.8.1
-
cpe:2.3:a:dompdf_project:dompdf:0.8.2
-
cpe:2.3:a:dompdf_project:dompdf:0.8.3
-
cpe:2.3:a:dompdf_project:dompdf:0.8.4
-
cpe:2.3:a:dompdf_project:dompdf:0.8.5
-
cpe:2.3:a:dompdf_project:dompdf:0.8.6
-
cpe:2.3:a:dompdf_project:dompdf:1.0.0
-
cpe:2.3:a:dompdf_project:dompdf:1.0.1
-
cpe:2.3:a:dompdf_project:dompdf:1.0.2
-
cpe:2.3:a:dompdf_project:dompdf:1.1.0
-
cpe:2.3:a:dompdf_project:dompdf:1.1.1