Byqwert

Name of the Vulnerable Software and Affected Versions: mPDF versions 7.1.7 and earlier Description: The issue is related to a Deserialization of Untrusted Data vulnerability in the `getImage()` method of the `Image/ImageProcessor` class. This can result in arbitrary code execution, file write, etc. The attack is exploitable if an attacker hosts a crafted image on the victim server and triggers the generation of a PDF file with content `<img src="phar://path/to/crafted/image">`. Recommendations: For mPDF versions 7.1.7 and earlier, update to version 7.1.8 to resolve the issue. As a temporary workaround, consider restricting the use of the `getImage()` method in the `Image/ImageProcessor` class until a patch is available. Avoid using the `<img src>` tag with `phar://` protocol in PDF files until the issue is resolved.