CVE-2018-19047
Last modified
CVE-2018-19047 is a vulnerability of currently unknown severity. mPDF through 7.1.6, if deployed as a web application that accepts arbitrary HTML, allows SSRF, as demonstrated by a '<img src="http://192.168' substring that triggers a call to getImage in Image/ImageProcessor.php. NOTE: the software maintainer disputes this, stating "If you allow users to pass HTML without sanitising it, you're asking for trouble.. EPSS estimates a 2.08% chance of exploitation in the next 30 days.
Description
mPDF through 7.1.6, if deployed as a web application that accepts arbitrary HTML, allows SSRF, as demonstrated by a '<img src="http://192.168' substring that triggers a call to getImage in Image/ImageProcessor.php. NOTE: the software maintainer disputes this, stating "If you allow users to pass HTML without sanitising it, you're asking for trouble.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mpdf Project | Mpdf | <= 7.1.6 |
References
- https://github.com/mpdf/mpdf/issues/867Exploit, Third Party Advisory
- https://github.com/mpdf/mpdf/issues/867Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-19047?
How severe is CVE-2018-19047?
How do I fix CVE-2018-19047?
Are you affected by CVE-2018-19047?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST