CVE Vulnerability

CVE-2020-13756

Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.

7.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/sabberworm/PHP-CSS-Parser/commit/2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4 Patch Third Party Advisory
http://seclists.org/fulldisclosure/2020/Jun/7 Exploit Mailing List
https://github.com/sabberworm/PHP-CSS-Parser/releases/tag/8.3.1 Release Notes Third Party Advisory
http://packetstormsecurity.com/files/157923/Sabberworm-PHP-CSS-Code-Injection.html Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:sabberworm:php_css_parser:*:*:*:*:*:*:*:*
Information

Published : 2020-06-03 02:15

Updated : 2021-07-21 11:39

NVD link : CVE-2020-13756

Mitre link : CVE-2020-13756

Products Affected
No products.
CWE
CWE-94