CyberSec.Space Logo
Back to CVE Browser

CVE-2019-1000005

HIGH
8.8
CVSS Severity Score
EPSS Score0.0260%
EPSS Percentile12.65th
PublishedFeb 4, 2019
Last ModifiedNov 21, 2024

Vulnerability Description

mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage() method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim server and trigger generation of pdf file with content <img src="phar://path/to/crafted/image">. This vulnerability appears to have been fixed in 7.1.8.

Affected Platforms (CPE)

📦
Mpdf Project

Mpdf

<= 7.1.7

References & Advisories

🔗 https://github.com/mpdf/mpdf/issues/949
🔗 https://github.com/mpdf/mpdf/issues/949

Related Vulnerabilities

CVE-2018-1904710.0

mPDF through 7.1.6, if deployed as a web application that accepts arbitrary HTML, allows SSRF, as demonstrated by a '<img src="htt...

CVE-2011-52195.0

Directory traversal vulnerability in examples/show_code.php in mPDF 5.3 and earlier allows remote attackers to read arbitrary file...

CVE-2021-44164.3

The wp-mpdf plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.1. This is due ...

CVE-2019-2513610.0

A compromised child process could have injected XBL Bindings into privileged CSS rules, resulting in arbitrary code execution and ...