CVE-2022-28368: Code Injection
First published: Thu Mar 24 2022(Updated: )
Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/dompdf/dompdf | <1.2.1 | |
| composer/dompdf/dompdf | <1.2.1 | 1.2.1 |
| Dompdf | <1.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/advisories/GHSA-x752-qjv4-c4hc (Advisory)
- http://packetstormsecurity.com/files/171738/Dompdf-1.2.1-Remote-Code-Execution.html
- https://github.com/dompdf/dompdf/commit/4c70e1025bcd9b7694b95dd552499bd83cd6141d
- https://github.com/dompdf/dompdf/issues/2598
- https://github.com/dompdf/dompdf/pull/2808
- https://github.com/snyk-labs/php-goof
- https://packagist.org/packages/dompdf/dompdf#v1.2.1
- https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce/
- https://nvd.nist.gov/vuln/detail/CVE-2022-28368
- https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2022-28368.yaml
Frequently Asked Questions
What is CVE-2022-28368?
CVE-2022-28368 is a vulnerability that allows remote code execution in Dompdf before version 1.2.1 via a .php file in the src:url field of an @font-face CSS statement within an HTML input file.
How severe is CVE-2022-28368?
CVE-2022-28368 has a severity rating of 9.8 out of 10, which is considered critical.
What software is affected by CVE-2022-28368?
Dompdf before version 1.2.1 is affected by CVE-2022-28368.
How can I fix CVE-2022-28368?
To fix CVE-2022-28368, upgrade Dompdf to version 1.2.1 or higher.
Where can I find more information about CVE-2022-28368?
You can find more information about CVE-2022-28368 on the following references: [GitHub Advisory](https://github.com/advisories/GHSA-x752-qjv4-c4hc), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-28368), and [Dompdf GitHub issue](https://github.com/dompdf/dompdf/issues/2598).
- collector/friends-of-php
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-x752-qjv4-c4hc
- alias/CVE-2022-28368
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/weakness
- agent/remedy
- agent/author
- agent/description
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- package-manager/composer
- vendor/dompdf project
- canonical/dompdf