CVE-2020-13756 – sabberworm/php-css-parser

Package

Manager: composer
Name: sabberworm/php-css-parser
Vulnerable Version: >=8.3.0 <8.3.1 || >=8.2.0 <8.2.1 || >=8.1.0 <8.1.1 || >=8.0.0 <8.0.1 || >=7.0.0 <7.0.4 || >=6.0.0 <6.0.2 || >=5.2.0 <5.2.1 || >=5.1.0 <5.1.3 || >=5.0.0 <5.0.9 || >=4.0.0 <4.0.1 || >=3.0.0 <3.0.1 || >=2.0.0 <2.0.1 || >=1.0.0 <1.0.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.24815 pctl0.95929

Details

Sabberworm PHP CSS Parser Code injection vulnerability in allSelectors() Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.

Metadata

Created: 2022-03-26T00:15:22Z
Modified: 2023-09-21T20:00:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-phrq-v4q2-hmq6/GHSA-phrq-v4q2-hmq6.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-phrq-v4q2-hmq6
Finding: F184
Auto approve: 1