CVE-2023-41330

Summary

CVE-2023-41330 is a new vulnerability affecting the knplabs/knp-snappy PHP library, which allows thumbnail, snapshot, or PDF generation from URLs or HTML pages. This vulnerability builds on the previously disclosed CVE-2023-28115, which enabled remote code execution through PHAR deserialization. The latest version of the library, 1.4.2, introduced a check to prevent this vulnerability. However, an attacker can bypass this check by manipulating the second parameter of the `generateFromHtml()` function and passing it as the `$filename` parameter in the `prepareOutput()` function. If the server is running a PHP version prior to 8 and the attacker is able to upload a file, they can execute arbitrary code and access the underlying filesystem. Users are advised to upgrade to version 1.4.3, which addresses this issue in commit `d3b742d61a`. Alternatively, users unable to upgrade should ensure that only trusted users may submit data to the `AbstractGenerator->generate(...)` function.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.