Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2014-5013

CVE-2014-5013:
DOMPDF Remote Code Execution

8.8

CVSS Score

Basic Information

CVE ID
CVE-2014-5013
GHSA ID
GHSA-jjwj-w3gc-gcw4
EPSS Score
-
CWE
CWE-94
Published
5/17/2022
Updated
2/6/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
dompdf/dompdfcomposer>= 0.6, < 0.6.20.6.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from DOMPDF's PHP execution capability (DOMPDF_ENABLE_PHP) which used eval() in PHP_Evaluator::execute. The 0.6.2 release notes mention security fixes related to PHP preprocessing removal. The CWE-94 classification confirms code injection via eval(), and the RCE nature aligns with unrestricted PHP execution through document input. The PHP_Evaluator class is directly responsible for executing embedded PHP code, making it the clear vulnerable component when enabled.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*OMP** ***or* *.*.* *llows r*mot* *o** *x**ution, * r*l*t** issu* to *V*-****-****.

Reasoning

T** vuln*r**ility st*ms *rom *OMP**'s P*P *x**ution **p**ility (*OMP**_*N**L*_P*P) w*i** us** *v*l() in P*P_*v*lu*tor::*x**ut*. T** *.*.* r*l**s* not*s m*ntion s**urity *ix*s r*l*t** to P*P pr*pro**ssin* r*mov*l. T** *W*-** *l*ssi*i**tion *on*irms *o