CVE-2019-1000005

NONE EPSS 79.4%
Published Feb 4, 20197y ago · Modified Jun 17, 20262w ago
Find Similar
Published Feb 4, 2019 7y ago
Last Modified Jun 17, 2026 2w ago

Description

mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage() method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim server and trigger generation of pdf file with content <img src="phar://path/to/crafted/image">. This vulnerability appears to have been fixed in 7.1.8.

Threat Intelligence

EPSS Exploit Probability
79.4% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-502 Deserialization of Untrusted Data Validation

Affected Products 1

VendorProductVersionRange
mpdf_projectmpdf* ≤7.1.7

References 1

  • github.com https://github.com/mpdf/mpdf/issues/949
    ExploitIssue TrackingThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.