Remote Code Execution via @font-face CSS Statement in Dompdf 1.2.1
CVE-2022-28368 · CRITICAL Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).
Learn more about our Web Application Penetration Testing UK.