cbcvebase.
CVE-2014-2383
published 2020-01-10

CVE-2014-2383: DOMPDF before 0.6.2 allows remote code execution, a related issue to CVE-2014-2383.

PriorityP272medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
39.37%
98.4th percentile
DOMPDF before 0.6.2 allows remote code execution, a related issue to CVE-2014-2383.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianphp-dompdf< php-dompdf 0.6.2+dfsg-1 (bookworm)php-dompdf 0.6.2+dfsg-1 (bookworm)
debianphp-dompdf< php-dompdf 0.6.1+dfsg-2 (bookworm)php-dompdf 0.6.1+dfsg-2 (bookworm)
dompdfdompdf<= 0.6.0
dompdfdompdf>= 0.6 < 0.6.20.6.2
dompdfdompdf>= 0.6.0 < 0.6.10.6.1
dompdf_projectdompdf< 0.6.20.6.2

Detection & IOCsextracted from sources · hover to see the quote

url/dompdf.php?input_file=php://filter/resource=/etc/passwd
url/PhpSpreadsheet/Writer/PDF/DomPDF.php?input_file=php://filter/resource=/etc/passwd
url/lib/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd
url/includes/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd
url/wp-content/plugins/web-portal-lite-client-portal-secure-file-sharing-private-messaging/includes/libs/pdf/dompdf.php?input_file=php://filter/resource=/etc/passwd
url/wp-content/plugins/buddypress-component-stats/lib/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd
url/wp-content/plugins/abstract-submission/dompdf-0.5.1/dompdf.php?input_file=php://filter/resource=/etc/passwd
url/wp-content/plugins/post-pdf-export/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd
url/wp-content/plugins/blogtopdf/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd
url/wp-content/plugins/gboutique/library/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd
url/wp-content/plugins/wp-ecommerce-shop-styling/includes/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd
urlhttp://example/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=
commandphp dompdf.php php://filter/read=convert.base64-encode/resource=
pathdompdf.php
  • Look for HTTP responses containing both the 'application/pdf' Content-Type header and 'filename="dompdf_out.pdf"' in the Content-Disposition header — this indicates dompdf processed the malicious input_file parameter and returned output.
  • Match response body for the regex pattern 'root:[x*]:0:0' to confirm successful /etc/passwd file read via the LFI payload.
  • Monitor GET requests to dompdf.php (and known plugin paths) where the input_file parameter contains 'php://' — specifically php://filter wrappers — indicating exploitation attempts.
  • Flag requests using the php://filter/read=convert.base64-encode/resource= wrapper in any parameter, as this is the canonical bypass technique used to exfiltrate file contents through dompdf's chroot protection.
  • ·The vulnerability is only exploitable when the DOMPDF_ENABLE_PHP configuration flag is enabled; it is disabled by default, so exploitation requires a non-default configuration.
  • ·Exploitation also requires DOMPDF_ENABLE_REMOTE to be enabled, adding a second non-default prerequisite.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa6.8MEDIUM
osv10.0CRITICAL
vulncheck6.8MEDIUM
vendor_debian6.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.