sabberworm/php-css-parser is vulnerable to remote code execution. Untrusted user input is passed into eval
when the functions allSelectors()
or getSelectorsBySpecificity()
are called which will lead to arbitrary code execution.
packetstormsecurity.com/files/157923/Sabberworm-PHP-CSS-Code-Injection.html
seclists.org/fulldisclosure/2020/Jun/7
github.com/sabberworm/PHP-CSS-Parser/commit/114212ad3556b83a5659b295244906eef62b855c
github.com/sabberworm/PHP-CSS-Parser/commit/2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4
github.com/sabberworm/PHP-CSS-Parser/commit/7f81cfd7c81a6f6f5ec46571b587a206141a58bb
github.com/sabberworm/PHP-CSS-Parser/releases/tag/8.3.1