Improper Restriction of External Entities (XXE) Vulnerability

CVE-2021-3902

9.8CRITICAL

Key Information

Vendor: DomPDF
Status: DomPDF/domPDF
Vendor: CVE Published:; 15 November 2024

Summary

An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.

Affected Version(s)

dompdf/dompdf < 2.0.0

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: null to: 9.8 - (CRITICAL)
Nov 15, 2024
Vulnerability published.
Nov 15, 2024
Vulnerability Reserved.
Oct 24, 2021

Collectors

NVD DatabaseMitre Database