-
Notifications
You must be signed in to change notification settings - Fork 306
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CVE-2022-28368 for Dompdf #625
Conversation
@@ -0,0 +1,8 @@ | |||
title: Remote code injection via remote fonts | |||
link: https://github.com/advisories/GHSA-x752-qjv4-c4hc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
using dompdf/dompdf#2598 as link would give more details
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would rather link to the Github advisory, they do a good job linking to all further resources like dompdf/dompdf#2598
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
but the link itself provide no details about the vulnerability if you don't go to other links
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that page gives a pretty good summary of the vulnerability? It also provides visually clear info about severity, versions and further links.
But I can change it if you want, no problem.
Opened #626 for automating this process. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, let's merge this as is.
Thank you, appreciated! |
Creating this manually kind of sucks.
Can we somehow import all Github security advisories like GHSA-x752-qjv4-c4hc for PHP composer projects automatically? https://github.com/advisories?query=type%3Areviewed+ecosystem%3Acomposer