CVE-2021-3902

CVSS V2 None CVSS V3 None

Description

An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.

Overview

CVE ID
CVE-2021-3902

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-11-15T10:52:10.986Z

Last Modified Date
2024-11-15T10:57:06.734Z

Weakness Enumerations

CWE	URL
CWE-611	http://cwe.mitre.org/data/definitions/611.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/a6071c07-806f-429a-8656-a4742e4191b1
https://github.com/dompdf/dompdf/commit/f56bc8e40be6c0ae0825e6c7396f4db80620b799

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2021-3902
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3902

History

Created	Old Value	New Value	Data Type	Notes
2024-11-16 12:04:09				Added to TrackCVE