CVE-2022-41343 Dompdf before 2.0.1 allows remote file inclusion due to a font registration bug.

An attacker can exploit this flaw to inject code into a vulnerable application and receive code execution privileges. This issue was addressed by disabling font registration through the @font-face rule. CVE-2018-1130 An exploitable error exists in _getFonts in FontMetrics.php in Dompdf before 2.0.1. An attacker can inject malicious @font-face rules into an affected application and cause a denial of service. This issue was addressed by disabling @font-face rules in the application. NOTE: If you are using a version of Dompdf prior to 2.0.1, you must upgrade to 2.0.1 to protect against this CVE. An exploitable error exists in _getFonts in FontMetrics.php in Dompdf before 2.0.1. An attacker can inject malicious @font-face rules into an affected application and cause a denial of service. This issue was addressed by disabling @font-face rules in the application. If you are using a version of Dompdf prior to 2.0.1, you must upgrade to 2.0.1 to protect against this CVE. An exploitable error exists in _getFonts in FontMetrics.php in Dompdf before 2.0.1. An attacker can inject malicious @font-face rules into an affected application and cause a denial of service. This issue was addressed by disabling @font-face rules in the application. If you

vulneralge and reciprocal

The vulnerability could be exploited remotely.

Timeline

Published on: 09/25/2022 19:15:00 UTC
Last modified on: 09/28/2022 16:37:00 UTC

References

• https://github.com/dompdf/dompdf/releases/tag/v2.0.1
• https://github.com/dompdf/dompdf/issues/2994
• https://github.com/dompdf/dompdf/pull/2995
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41343