CVE-2019-1000005
NONE EPSS 79.4%
Published Feb 4, 20197y ago · Modified Jun 17, 20262w ago
Published Feb 4, 2019 7y ago
Last Modified Jun 17, 2026 2w ago
Description
mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage() method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim server and trigger generation of pdf file with content <img src="phar://path/to/crafted/image">. This vulnerability appears to have been fixed in 7.1.8.
Threat Intelligence
EPSS Exploit Probability
79.4% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 1
CWE-502 Deserialization of Untrusted Data Validation
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| mpdf_project | mpdf | * | ≤7.1.7 |
References 1
- github.com https://github.com/mpdf/mpdf/issues/949
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.