CIVI-SA-2023-06: Dompdf 2.0.3

Published
2023-02-15 12:00
Written by

The "dompdf" library has a vulnerability which allows remote code execution. It may be exploited by some backend users.

Security Risk
Critical
Vulnerability
Arbitrary PHP Code Execution
Affected Versions

CiviCRM version 5.58.0 (and earlier), 5.57.3 (and earlier)

Fixed Versions

CiviCRM version 5.58.1, 5.57.4 (ESR)

Publication Date
Solutions

Upgrade to the fixed version of CiviCRM

Alternatively, if you cannot upgrade CiviCRM, you MAY be able to manually upgrade dompdf (on Drupal 8/9). In your site-root, download the secure version:

composer require 'dompdf/dompdf:~2.0.3'

NOTE: This is useful as a short-term override. In the future, when you have a chance to update CiviCRM, you will need to edit composer.json and remove this override.

CVE
CVE-2023-24813