.. / CVE-2022-28368

Exploit for Dompdf 1.2.1 - Remote Code Execution (CVE-2022-28368)

Description:

Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).

Proof of Concept

PoC exploit

https://github.com/rvizx/CVE-2022-28368/blob/main/dompdf-rce.py

Try the exploit in a lab environment:

Lab	Machine	Link
Hack The Box	Interface	Go to Practice
Hack The Box	Investigation	Go to Practice

References:

https://nvd.nist.gov/vuln/detail/CVE-2022-28368

.. / CVE-2022-28368 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for Dompdf 1.2.1 - Remote Code Execution (CVE-2022-28368)

Description:

Proof of Concept

PoC exploit

Try the exploit in a lab environment:

.. / CVE-2022-28368