11 matches found
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection via the constructor when the binary path is sourced from user-influenced configuration, environment variables derived from request data, or concatenated with user-controlled fragments. An attacker can execute arbitrary...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the xsl-style-sheet option. An attacker can access internal or remote resources and read arbitrary local files by supplying crafted input to the xsl-style-sheet parameter. Remediation Upgrade...
Unsafe deserialization in knplabs/knp-snappy
...
CVE-2023-41330
knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Issue On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check if...
CVE-2023-41330
knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Issue On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check if...
CVE-2023-41330 Unsafe deserialization in knplabs/knp-snappy
knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Issue On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check if...
CVE-2023-41330 Unsafe deserialization in knplabs/knp-snappy
knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Issue On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check if...
CVE-2023-41330 Unsafe deserialization in knplabs/knp-snappy
knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Issue On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check if...
CVE-2023-41330
CVE-2023-41330 affects knplabs/knp-snappy (PHP library for thumbnail/snapshot/PDF generation). The issue is a unsafe PHAR deserialization vulnerability related to how output filenames are handled when generateFromHtml() can be controlled and passed to prepareOutput(). Although a patch was added i...
Remote Code Execution (RCE)
knplabs/knp-snappy is vulnerable to Remote Code Execution RCE. The vulnerability is due to the library not checking the file type during upload, which allows an attacker to upload a phar:// file which will be deserialized during the fileexists function because it fails to check the file type,...
PT-2023-27907 · Knplabs · Knplabs/Knp-Snappy
Name of the Vulnerable Software and Affected Versions: knplabs/knp-snappy versions prior to 1.4.3 Description: The issue concerns a PHAR deserialization vulnerability in the knplabs/knp-snappy PHP library. This vulnerability allows an attacker to gain remote code execution by exploiting the lack ...