Remote Code Execution (RCE) Affecting sabberworm/php-css-parser package, versions <8.3.1
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Threat Intelligence
EPSS
1.54% (87th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-SABBERWORMPHPCSSPARSER-571300
- published 4 Jun 2020
- disclosed 4 Jun 2020
- credit Unknown
Introduced: 4 Jun 2020
CVE-2020-13756 Open this link in a new tabHow to fix?
Upgrade sabberworm/php-css-parser
to version 8.3.1 or higher.
Overview
sabberworm/php-css-parser is a parser for CSS Files written in PHP. Allows extraction of CSS files into a data structure, manipulation of said structure and output as (optimized) CSS.
Affected versions of this package are vulnerable to Remote Code Execution (RCE). A call to eval
on uncontrolled data possibly leads to remote code execution if the function allSelectors()
or getSelectorsBySpecificity()
is called on the attacker's input.