Remote Code Execution via @font-face CSS Statement in Dompdf 1.2.1

Remote Code Execution via @font-face CSS Statement in Dompdf 1.2.1

CVE-2022-28368 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).

Learn more about our Web Application Penetration Testing UK.