9 matches found
CVE-2022-28368
Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).
CVE-2021-3838
DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and insta...
CVE-2014-5013
DOMPDF before 0.6.2 allows remote code execution, a related issue to CVE-2014-2383.
CVE-2014-5011
DOMPDF before 0.6.2 allows Information Disclosure.
CVE-2022-0085
Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0.
CVE-2022-41343
registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule.
CVE-2014-5012
DOMPDF before 0.6.2 allows denial of service.
CVE-2022-2400
External Control of File Name or Path in GitHub repository dompdf/dompdf prior to 2.0.0.
CVE-2021-3902
An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to f...