CVE-2022-28368
Published: 03 April 2022
Summary
CVE-2022-28368 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Dompdf Project Dompdf. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Dompdf version 1.2.1 is affected by a remote code execution vulnerability that occurs when an attacker supplies an HTML document containing a CSS @font-face rule whose src:url field references a .php file. The library processes the supplied stylesheet without sufficient validation of font sources, allowing the referenced PHP content to be executed in the context of the Dompdf process.
An unauthenticated remote attacker can exploit the flaw simply by submitting a crafted HTML file to any application that uses Dompdf to render user-controlled documents. Successful exploitation grants arbitrary code execution on the server, with impacts equivalent to full confidentiality, integrity, and availability compromise as reflected in the CVSS 9.8 rating.
The project addressed the issue in commit 4c70e1025bcd9b7694b95dd552499bd83cd6141d and pull request 2808; administrators should upgrade to a patched release. Public exploit code has been published, and the vulnerability maintains an EPSS score near 0.88, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-1865
Vulnerability details
Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.