CVE-2023-23924: 
PHP vulnerability analysis and mitigation

A critical-severity security vulnerability (CVE-2023-23924) was discovered in the open-source Dompdf PHP library, an HTML-to-PDF converter with over 65 million downloads. The vulnerability was disclosed on January 31, 2023, affecting all versions up to and including 2.0.1. The flaw allows attackers to bypass URI validation during SVG parsing, potentially enabling them to call arbitrary URLs with arbitrary protocols when they can provide an SVG file to Dompdf (SecurityOnline, GitHub Advisory).

The vulnerability occurs during SVG parsing of tags in src/Image/Cache.php where the name comparison with 'image' is case sensitive. This allows attackers to bypass the security check by using uppercase letters in the tag name (e.g., 'Image' instead of 'image'). The bug received a CVSS score of 10.0, indicating critical severity. The vulnerability specifically affects the URI validation mechanism and can be triggered through SVG file parsing (GitHub Advisory).

In PHP versions before 8.0.0, successful exploitation leads to arbitrary object unserialization, which at minimum results in arbitrary file deletion. Depending on available classes, it could potentially lead to remote code execution on the target server. The vulnerability affects the confidentiality, integrity, and availability of the system (GitHub Advisory, SecurityOnline).

The vulnerability was patched in Dompdf version 2.0.2, released on January 31, 2023. The fix involves modifying the tag name comparison to be case-insensitive by using strtolower() before the check. Users are strongly recommended to upgrade to version 2.0.2 or later to address this security issue (GitHub Release, GitHub Commit).