Improper input validation in Dompdf
CVE-2023-50262
Dompdf is an HTML to PDF converter for PHP. When parsing SVG images Dompdf performs an initial validation to ensure that paths within the SVG are allowed. One of the validations is that the SVG document does not reference itself. However…
Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)
EPSS: 0.015 (70.4th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.
Affected products
- Dompdf — versions < 2.0.4
- Dompdf_project Dompdf
Weakness classification (CWE)
Public proof-of-concept exploits
References
- security-advisories@github.com (x_refsource_CONFIRM, Exploit, Vendor Advisory)
- security-advisories@github.com (Patch, x_refsource_MISC)
- security-advisories@github.com (Product, x_refsource_MISC)
Frequently asked questions
- What is CVE-2023-50262?
- CVE-2023-50262 is a medium-severity vulnerability in Dompdf, classified under Improper Input Validation. CVSS score: 5.3/10. Published 2023-12-13.
- How severe is CVE-2023-50262?
- Medium severity. CVSS v3 base score is 5.3 out of 10.
- Is CVE-2023-50262 known to be exploited?
- 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.