php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when handling `<use>` tag that references an `<image>` tag, it merges the attributes from the `<use>` tag to the `<image>` tag. The problem pops up especially when the `href` attribute from the `<use>` tag has not been sanitized. This can lead to an unsafe file read that can cause PHAR Deserialization vulnerability in PHP prior to version 8. Version 0.5.1 contains a patch for this issue.
References
Link | Resource |
---|---|
https://github.com/dompdf/php-svg-lib/commit/08ce6a96d63ad7216315fae34a61c886dd2dc030 | Patch |
https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-jq98-9543-m4cr | Exploit Mitigation Vendor Advisory |
https://github.com/dompdf/php-svg-lib/commit/08ce6a96d63ad7216315fae34a61c886dd2dc030 | Patch |
https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-jq98-9543-m4cr | Exploit Mitigation Vendor Advisory |
Configurations
History
21 Nov 2024, 08:36
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.3 |
References | () https://github.com/dompdf/php-svg-lib/commit/08ce6a96d63ad7216315fae34a61c886dd2dc030 - Patch | |
References | () https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-jq98-9543-m4cr - Exploit, Mitigation, Vendor Advisory |
15 Dec 2023, 17:50
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-12-12 21:15
Updated : 2024-11-21 08:36
NVD link : CVE-2023-50252
Mitre link : CVE-2023-50252
CVE.ORG link : CVE-2023-50252
JSON object : View
Products Affected
dompdf
- php-svg-lib