Improper Restriction of External Entities (XXE) Vulnerability
CVE-2021-3902
9.8CRITICAL
Key Information:
- Vendor
- DomPDF
- Status
- DomPDF/domPDF
- Vendor
- CVE Published:
- 15 November 2024
Summary
An issue exists in the SVG parser of dompdf, where improper restrictions on external entities can lead to Server-Side Request Forgery (SSRF) and deserialization attacks. This vulnerability allows attackers to exploit the system irrespective of the isRemoteEnabled option being set to false. It may result in the disclosure of internal image files and enable PHAR deserialization attacks, posing significant risks to the integrity of the application and its data.
Affected Version(s)
dompdf/dompdf < 2.0.0
References
CVSS V3.1
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved