Miggo Logo
Miggo Vulnerability Database
CVE-2014-5011

CVE-2014-5011: DOMPDF Information Disclosure

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2014-5011
GHSA ID
GHSA-jwf8-mjj8-r8hq
EPSS Score
0.40667%
CWE
CWE-200
Published
5/17/2022
Updated
2/6/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
dompdf/dompdfcomposer>= 0.6, < 0.6.20.6.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from web-accessible demo/debug scripts (debugger.php, demo.php, setup.php) lacking proper authentication checks in versions <0.6.2. These scripts allowed unauthorized access to sensitive functionality via IP-based checks alone. The fix (commit cc06008) introduced authentication via auth_ok() checks. However, these are top-level procedural scripts rather than discrete functions, and no specific library functions in the dompdf core were directly implicated. The exposure occurred at the application integration level via included demo files, not through identifiable API functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*OMP** ***or* *.*.* *llows In*orm*tion *is*losur*.

Reasoning

T** vuln*r**ility st*ms *rom w**-****ssi*l* **mo/***u* s*ripts (***u***r.p*p, **mo.p*p, s*tup.p*p) l**kin* prop*r *ut**nti**tion ****ks in v*rsions <*.*.*. T**s* s*ripts *llow** un*ut*oriz** ****ss to s*nsitiv* *un*tion*lity vi* IP-**s** ****ks *lon*