CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2019-1000005
https://notcve.org/view.php?id=CVE-2019-1000005
04 Feb 2019 — mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage() method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim server and trigger generation of pdf file with content . This vulnerability appears to have been fixed in 7.1.8. mPDF, en versiones 7.1.7 y anteriores, contiene una vulnerabili... • https://github.com/mpdf/mpdf/issues/949 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2018-19047
https://notcve.org/view.php?id=CVE-2018-19047
07 Nov 2018 — mPDF through 7.1.6, if deployed as a web application that accepts arbitrary HTML, allows SSRF, as demonstrated by a '
CVSS: 7.5EPSS: 6%CPEs: 2EXPL: 2CVE-2011-5219 – mPDF 5.3 - File Disclosure
https://notcve.org/view.php?id=CVE-2011-5219
25 Oct 2012 — Directory traversal vulnerability in examples/show_code.php in mPDF 5.3 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter. Vulnerabilidad de salto de directorio en examples/show_code.php en mPDF v5.3 y anteriores, permite a atacantes remotos leer ficheros locales de su elección al utilizar caracteres .. (punto punto) en el parámetro filename. • https://www.exploit-db.com/exploits/18248 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •