GHSA-577P-7J7H-2JGF Deserialization of Untrusted Data in dompdf/dompdf

DomPDF before version 2.0.0 is vulnerable to PHAR PHP Archive deserialization due to a lack of checking on the protocol before passing it into the filegetcontents function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the filegetcontents function. An attacker can execute arbitrary code by uploading a file with a malicious phar:// protocol, leading to the deserialization and instantiation of arbitrary PHP...

CVE-2021-3902

An improper restriction of external entities XXE vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery SSRF and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to...

CVE-2021-3902

An improper restriction of external entities XXE vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery SSRF and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to...

DEBIAN-CVE-2021-3902

An improper restriction of external entities XXE vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery SSRF and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to...

CVE-2021-3838

DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the filegetcontents function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and...

CVE-2021-3838

DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the filegetcontents function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and...

DEBIAN-CVE-2021-3838

DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the filegetcontents function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and...

CVE-2021-3902 Improper Restriction of XML External Entity Reference in dompdf/dompdf

An improper restriction of external entities XXE vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery SSRF and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to...

CVE-2021-3902 Improper Restriction of XML External Entity Reference in dompdf/dompdf

An improper restriction of external entities XXE vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery SSRF and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to...

CVE-2021-3838 PHAR Deserialization in dompdf/dompdf

DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the filegetcontents function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and...

CVE-2021-3838 PHAR Deserialization in dompdf/dompdf

DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the filegetcontents function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and...

Dompdf 代码问题漏洞

Dompdf is a Dompdf open source HTML to PDF converter . A code issue vulnerability exists in Dompdf versions prior to 2.0.0, which stems from the presence of an improper restriction of the External Entity XXE vulnerability, which could lead to server-side request forgery SSRF and deserialization...

Debian: Security Advisory (DSA-5642-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] [DSA 5642-1] php-dompdf-svg-lib security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5642-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff March 20, 2024 https://www.debian.org/security/faq -...

DSA-5642-1 php-dompdf-svg-lib - security update

Bulletin has no description...

GHSA-97M3-52WR-XVV2 Dompdf's usage of vulnerable version of phenx/php-svg-lib leads to restriction bypass and potential RCE

Summary A lack of sanitization/check in the font path returned by php-svg-lib, in the case of a inline CSS font defined, that will be used by Cpdf to open a font will be passed to a fileexists call, which is sufficient to trigger metadata unserializing on a PHAR file, through the phar:// URL...

Dompdf's usage of vulnerable version of phenx/php-svg-lib leads to restriction bypass and potential RCE

Summary A lack of sanitization/check in the font path returned by php-svg-lib, in the case of a inline CSS font defined, that will be used by Cpdf to open a font will be passed to a fileexists call, which is sufficient to trigger metadata unserializing on a PHAR file, through the phar:// URL...

Denial Of Service (DoS)

dompdf/dompdf is vulnerable to Denial Of Service DoS. The vulnerability exists in Cache.php due to the lack of SVG reference recursion validation, which allows an attacker to cause an application crash by providing a maliciously crafted SVG image...

GHSA-3QX2-6F78-W2J2 Denial of service caused by infinite recursion when parsing SVG images

Summary When parsing SVG images Dompdf performs an initial validation to ensure that paths within the SVG are allowed. One of the validations is that the SVG document does not reference itself. However, a recursive chained using two or more SVG documents is not correctly validated. Depending on t...