The vulnerability of the Dompdf PHP library for generating PDF documents from HTML markup and CSS styles is related to improper validation before syntactic analysis and canonization. This allows a malicious user to delete arbitrary files or execute arbitrary code.

🗓️ 03 Feb 2023 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

bdu_fstec

bdu_fstec🔗 bdu.fstec.ru👁 1 Views

Dompdf vulnerability due to improper validation before analysis of image tags, enabling deletion or code execution.

Reporter	Title	Published	Views	Family All 19
GithubExploit	Exploit for Incorrect Behavior Order: Authorization Before Parsing and Canonicalization in Dompdf_Project Dompdf	1 Feb 202318:21	–	githubexploit
Circl	CVE-2023-23924	31 Jan 202313:33	–	circl
CNNVD	Dompdf 安全漏洞	1 Feb 202300:00	–	cnnvd
CVE	CVE-2023-23924	31 Jan 202323:54	–	cve
Cvelist	CVE-2023-23924 URI validation failure on SVG parsing in Dompdf	31 Jan 202323:54	–	cvelist
Debian CVE	CVE-2023-23924	31 Jan 202323:54	–	debiancve
F5 Networks	K000132775: DOMPDF vulnerabilities CVE-2023-23924 and CVE-2023-24813	27 Feb 202319:43	–	f5
Friends Of PHP	Dompdf vulnerable to URI validation failure on SVG parsing	31 Jan 202314:30	–	friendsofphp
Github Security Blog	Dompdf vulnerable to URI validation failure on SVG parsing	1 Feb 202301:37	–	github
Github Security Blog	URI validation failure on SVG parsing. Bypass of CVE-2023-23924	7 Feb 202318:16	–	github

Vulners

Node

php_group phpRange<8.0.0

Source	Link
github	www.github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85
github	www.github.com/dompdf/dompdf/releases/tag/v2.0.2
github	www.github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg
nvd	www.nvd.nist.gov/vuln/detail/CVE-2023-23924
web	www.web.nvd.nist.gov/view/vuln/detail

13 Sep 2024 00:00Current

8.1High risk

Vulners AI Score8.1

CVSS 210

CVSS 310

EPSS0.51462

Dompdf image tags validation error code execution file deletion