CVE-2020-13756
CRITICAL9.8EPSS 27.8%Sabberworm PHP CSS Parser Code injection vulnerability in allSelectors()
發布日:2022/3/26修改日:2026/4/28
描述
Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.
受影響套件(3)
- Debian/php-horde-css-parserfrom 0, < 1.0.11-8+deb11u1
- Debian/php-horde-css-parserfrom 0, < 1.0.11-8+deb11u1
- Packagist/sabberworm/php-css-parser>= 8.3.0, < 8.3.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-13756
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-13756
- WEBhttp://packetstormsecurity.com/files/157923/Sabberworm-PHP-CSS-Code-Injection.html
- WEBhttp://seclists.org/fulldisclosure/2020/Jun/7
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/sabberworm/php-css-parser/CVE-2020-13756.yaml
- WEBhttps://github.com/sabberworm/PHP-CSS-Parser/commit/2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4
- WEBhttps://github.com/sabberworm/PHP-CSS-Parser/releases/tag/8.3.1
- WEBhttps://lists.debian.org/debian-lts-announce/2025/10/msg00013.html
- WEBhttps://packetstormsecurity.com/files/cve/CVE-2020-13756