Description

An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.

INFO

Published Date :

2024-11-15T10:52:10.986Z

Last Modified :

2024-11-18T14:35:29.986Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2021-3902 vulnerability.

Vendors Products
Dompdf
  • Dompdf
Dompdf Project
  • Dompdf
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2021-3902.

URL Resource
https://github.com/dompdf/dompdf/commit/f56bc8e40be6c0ae0825e6c7396f4db80620b799 cve-icon cve-icon
https://huntr.com/bounties/a6071c07-806f-429a-8656-a4742e4191b1 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact