CVE-2014-2383
published 2020-01-10CVE-2014-2383: DOMPDF before 0.6.2 allows remote code execution, a related issue to CVE-2014-2383.
PriorityP272medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
39.37%
98.4th percentile
DOMPDF before 0.6.2 allows remote code execution, a related issue to CVE-2014-2383.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-dompdf | < php-dompdf 0.6.2+dfsg-1 (bookworm) | php-dompdf 0.6.2+dfsg-1 (bookworm) |
| debian | php-dompdf | < php-dompdf 0.6.1+dfsg-2 (bookworm) | php-dompdf 0.6.1+dfsg-2 (bookworm) |
| dompdf | dompdf | <= 0.6.0 | — |
| dompdf | dompdf | >= 0.6 < 0.6.2 | 0.6.2 |
| dompdf | dompdf | >= 0.6.0 < 0.6.1 | 0.6.1 |
| dompdf_project | dompdf | < 0.6.2 | 0.6.2 |
Detection & IOCsextracted from sources · hover to see the quote
url/dompdf.php?input_file=php://filter/resource=/etc/passwd
url/PhpSpreadsheet/Writer/PDF/DomPDF.php?input_file=php://filter/resource=/etc/passwd
url/lib/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd
url/includes/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd
url/wp-content/plugins/web-portal-lite-client-portal-secure-file-sharing-private-messaging/includes/libs/pdf/dompdf.php?input_file=php://filter/resource=/etc/passwd
url/wp-content/plugins/buddypress-component-stats/lib/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd
url/wp-content/plugins/abstract-submission/dompdf-0.5.1/dompdf.php?input_file=php://filter/resource=/etc/passwd
url/wp-content/plugins/post-pdf-export/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd
url/wp-content/plugins/blogtopdf/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd
url/wp-content/plugins/gboutique/library/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd
url/wp-content/plugins/wp-ecommerce-shop-styling/includes/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd
- →Look for HTTP responses containing both the 'application/pdf' Content-Type header and 'filename="dompdf_out.pdf"' in the Content-Disposition header — this indicates dompdf processed the malicious input_file parameter and returned output.
- →Match response body for the regex pattern 'root:[x*]:0:0' to confirm successful /etc/passwd file read via the LFI payload.
- →Monitor GET requests to dompdf.php (and known plugin paths) where the input_file parameter contains 'php://' — specifically php://filter wrappers — indicating exploitation attempts. ↗
- →Flag requests using the php://filter/read=convert.base64-encode/resource= wrapper in any parameter, as this is the canonical bypass technique used to exfiltrate file contents through dompdf's chroot protection. ↗
- ·The vulnerability is only exploitable when the DOMPDF_ENABLE_PHP configuration flag is enabled; it is disabled by default, so exploitation requires a non-default configuration. ↗
- ·Exploitation also requires DOMPDF_ENABLE_REMOTE to be enabled, adding a second non-default prerequisite. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa6.8MEDIUM
osv10.0CRITICAL
vulncheck6.8MEDIUM
vendor_debian6.8LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
dompdf 0.6.0 dompdf.php php:/filter/read=convertbase64-encode/resource information disclosure (EDB-33004)
vuldb·2026-05-12·CVSS 6.8
CVE-2014-2383 [MEDIUM] dompdf 0.6.0 dompdf.php php:/filter/read=convertbase64-encode/resource information disclosure (EDB-33004)
A vulnerability marked as problematic has been reported in dompdf 0.6.0. This impacts an unknown function of the file dompdf.php. Performing a manipulation of the argument php:/filter/read=convertbase64-encode/resource results in information disclosure.
This vulnerability is reported as CVE-2014-2383. The attack is possible to be carried out remotely. Moreover, an exploit is present.
It is suggested to upgrade the affected component.
OSV
DOMPDF Remote Code Execution
osv·2022-05-17·CVSS 6.8
CVE-2014-5013 [MEDIUM] DOMPDF Remote Code Execution
DOMPDF Remote Code Execution
DOMPDF before 0.6.2 allows remote code execution, a related issue to CVE-2014-2383.
GHSA
DOMPDF Remote Code Execution
ghsa·2022-05-17·CVSS 6.8
CVE-2014-5013 [MEDIUM] CWE-94 DOMPDF Remote Code Execution
DOMPDF Remote Code Execution
DOMPDF before 0.6.2 allows remote code execution, a related issue to CVE-2014-2383.
GHSA
DOMPDF Arbitrary File Read
ghsa·2022-05-14
CVE-2014-2383 [MEDIUM] CWE-200 DOMPDF Arbitrary File Read
DOMPDF Arbitrary File Read
dompdf.php in dompdf before 0.6.1, when `DOMPDF_ENABLE_PHP` is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a `php://filter/read=convert.base64-encode/resource` in the input_file parameter.
OSV
DOMPDF Arbitrary File Read
osv·2022-05-14
CVE-2014-2383 [MEDIUM] DOMPDF Arbitrary File Read
DOMPDF Arbitrary File Read
dompdf.php in dompdf before 0.6.1, when `DOMPDF_ENABLE_PHP` is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a `php://filter/read=convert.base64-encode/resource` in the input_file parameter.
OSV
CVE-2014-5013: DOMPDF before 0
osv·2020-01-10·CVSS 6.8
CVE-2014-5013 [MEDIUM] CVE-2014-5013: DOMPDF before 0
DOMPDF before 0.6.2 allows remote code execution, a related issue to CVE-2014-2383.
OSV
icu vulnerabilities
osv·2015-03-05·CVSS 10.0
CVE-2013-1569 icu vulnerabilities
icu vulnerabilities
It was discovered that ICU incorrectly handled memory operations when
processing fonts. If an application using ICU processed crafted data, an
attacker could cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program. This issue only affected
Ubuntu 12.04 LTS. (CVE-2013-1569, CVE-2013-2383, CVE-2013-2384,
CVE-2013-2419)
It was discovered that ICU incorrectly handled memory operations when
processing fonts. If an application using ICU processed crafted data, an
attacker could cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program. (CVE-2014-6585,
CVE-2014-6591)
It was discovered that ICU incorrectly handled memory operations when
processing regular expressions. If a
OSV
CVE-2014-2383: dompdf
osv·2014-04-28·CVSS 6.8
CVE-2014-2383 [MEDIUM] CVE-2014-2383: dompdf
dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.
VulnCheck
dompdf dompdf Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2014·CVSS 6.8
CVE-2014-2383 [MEDIUM] dompdf dompdf Exposure of Sensitive Information to an Unauthorized Actor
dompdf dompdf Exposure of Sensitive Information to an Unauthorized Actor
dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.
Affected: dompdf dompdf
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2014-2383; https://viz.greynoise.io/tags/dompdf-file-read-cve-2014-2383-lfi-attempt
Exploit PoC: https://vulncheck.com/xdb/b998dc877f2e
Debian
CVE-2014-5013: php-dompdf - DOMPDF before 0.6.2 allows remote code execution, a related issue to CVE-2014-23...
vendor_debian·2014·CVSS 6.8
CVE-2014-5013 [MEDIUM] CVE-2014-5013: php-dompdf - DOMPDF before 0.6.2 allows remote code execution, a related issue to CVE-2014-23...
DOMPDF before 0.6.2 allows remote code execution, a related issue to CVE-2014-2383.
Scope: local
bookworm: resolved (fixed in 0.6.2+dfsg-1)
bullseye: resolved (fixed in 0.6.2+dfsg-1)
sid: resolved (fixed in 0.6.2+dfsg-1)
Debian
CVE-2014-2383: php-dompdf - dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows con...
vendor_debian·2014·CVSS 6.8
CVE-2014-2383 [MEDIUM] CVE-2014-2383: php-dompdf - dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows con...
dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.
Scope: local
bookworm: resolved (fixed in 0.6.1+dfsg-2)
bullseye: resolved (fixed in 0.6.1+dfsg-2)
sid: resolved (fixed in 0.6.1+dfsg-2)
No detection rules found.
Exploit-DB
dompdf 0.6.0 - 'dompdf.php?read' Arbitrary File Read
exploitdb·2014-04-24·CVSS 6.8
CVE-2014-2383 [MEDIUM] dompdf 0.6.0 - 'dompdf.php?read' Arbitrary File Read
dompdf 0.6.0 - 'dompdf.php?read' Arbitrary File Read
---
Vulnerability title: Arbitrary file read in dompdf
CVE: CVE-2014-2383
Vendor: dompdf
Product: dompdf
Affected version: v0.6.0
Fixed version: v0.6.1 (partial fix)
Reported by: Alejo Murillo Moyas
Details:
An arbitrary file read vulnerability is present on dompdf.php file that
allows remote or local attackers to read local files using a special
crafted argument. This vulnerability requires the configuration flag
DOMPDF_ENABLE_PHP to be enabled (which is disabled by default).
Using PHP protocol and wrappers it is possible to bypass the dompdf's
"chroot" protection (DOMPDF_CHROOT) which prevents dompdf from accessing
system files or other files on the webserver. Please note that the flag
DOMPDF_ENABLE_REMOTE needs to be enabled.
Com
Nuclei
Dompdf < v0.6.0 - Local File Inclusion
nuclei·CVSS 6.8
CVE-2014-2383 [MEDIUM] Dompdf < v0.6.0 - Local File Inclusion
Dompdf < v0.6.0 - Local File Inclusion
A vulnerability in dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.
Template:
id: CVE-2014-2383
info:
name: Dompdf < v0.6.0 - Local File Inclusion
author: 0x_Akoko,akincibor,ritikchaddha
severity: medium
description: |
A vulnerability in dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://fi
2020-01-10
Published
Exploited in the wild