Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
URI validation failure on SVG parsing in Dompdf
Vulnerability Description
Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H
Vulnerability Type
不正确的行为次序:在解析与净化处理之前进行授权
Vulnerability Title
Dompdf 安全漏洞
Vulnerability Description
Dompdf是一个 HTML 到 PDF 的转换器。 Dompdf 2.0.1版本存在安全漏洞。攻击者利用该漏洞可以使用任意协议调用任意URL。
CVSS Information
N/A
Vulnerability Type
N/A