GitHub Advisory DatabaseGHSA-PHRQ-V4Q2-HMQ6Sabberworm PHP CSS Parser Code injection vulnerability in allSelectors()
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.015 Low
EPSS
Percentile
87.1%
Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.
Affected configurations
References
packetstormsecurity.com/files/157923/Sabberworm-PHP-CSS-Code-Injection.html
seclists.org/fulldisclosure/2020/Jun/7
github.com/advisories/GHSA-phrq-v4q2-hmq6
github.com/FriendsOfPHP/security-advisories/blob/master/sabberworm/php-css-parser/CVE-2020-13756.yaml
github.com/sabberworm/PHP-CSS-Parser/commit/2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4
github.com/sabberworm/PHP-CSS-Parser/releases/tag/8.3.1
nvd.nist.gov/vuln/detail/CVE-2020-13756
packetstormsecurity.com/files/cve/CVE-2020-13756
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.015 Low
EPSS
Percentile
87.1%