Main Vulnerability Database Exploits ID:8852 - Exploit for Files or Directories Accessible to External Parties in Dompdf - CVE-2022-41343

ID:8852 - Exploit for Files or Directories Accessible to External Parties in Dompdf - CVE-2022-41343

Published: February 20, 2023

Vulnerability identifier: #VU72316

Vulnerability risk: High

CVE-ID: CVE-2022-41343

CWE-ID: CWE-552

Exploitation vector: Remote access

Vulnerable software:
Dompdf

Link to public exploit:

https://github.com/BKreisel/CVE-2022-41343

Vulnerability description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insecure handling of data passed via the "src:url" field of an @font-face Cascading Style Sheets (CSS) statement inside an HTML input file to the registerFont() function in FontMetrics.php. A remote attacker can write arbitrary data to the filesystem (e.g. can create a .php file) and later execute it on the server.

Note, the vulnerability exists due to insufficient patch for #VU72315 (CVE-2022-28368).

Remediation

Install updates from vendor's website.

ID:8852 - Exploit for Files or Directories Accessible to External Parties in Dompdf - CVE-2022-41343

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human