#VU72315 Code Injection in Dompdf - CVE-2022-28368
Published: February 16, 2023 / Updated: October 25, 2024
Vulnerability identifier: #VU72315
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2022-28368
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Dompdf
Dompdf
Software vendor:
dompdf
dompdf
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when handling "src:url" field of an @font-face Cascading Style Sheets (CSS) statement inside an HTML input file. A remote attacker can link a malicious .php file and execute it on the system with installed Dompd when converting HTML to PDF.
Successful exploitation of the vulnerability can allow an attacker to compromise the affected system.
Remediation
Install updates from vendor's website.