7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.003 Low
EPSS
Percentile
65.9%
registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file
inclusion because a URI validation failure does not halt font registration,
as demonstrated by a @font-face rule.
Author | Note |
---|---|
ccdm94 | the code is not present in version 0.6.2, even though there is a register_font function in include/font_metrics.cls.php which seems to contain similar code as the registerFont function being patched in the fix commit. |