CyberSec.Space Logo
返回 CVE 浏览器

CVE-2019-1000005

HIGH
8.8
CVSS Severity Score
EPSS Score0.0260%
EPSS Percentile12.65th
Published2019年2月4日
Last Modified2024年11月21日

Vulnerability Description

mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage() method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim server and trigger generation of pdf file with content <img src="phar://path/to/crafted/image">. This vulnerability appears to have been fixed in 7.1.8.

Affected Platforms (CPE)

📦
Mpdf Project

Mpdf

<= 7.1.7

References & Advisories

🔗 https://github.com/mpdf/mpdf/issues/949
🔗 https://github.com/mpdf/mpdf/issues/949

相关漏洞威胁

CVE-2018-1904710.0

mPDF through 7.1.6, if deployed as a web application that accepts arbitrary HTML, allows SSRF, as demonstrated by a '<img src="htt...

CVE-2011-52195.0

Directory traversal vulnerability in examples/show_code.php in mPDF 5.3 and earlier allows remote attackers to read arbitrary file...

CVE-2021-44164.3

The wp-mpdf plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.1. This is due ...

CVE-2019-1170810.0

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the no...