CVE-2023-24813: 
PHP vulnerability analysis and mitigation

A critical-severity security vulnerability (CVE-2023-24813) was discovered in the open-source Dompdf library, an HTML-to-PDF converter written in PHP. The vulnerability was discovered by Ry0taK and disclosed on February 7, 2023. This flaw affects version 2.0.2 of the library and occurred due to an incomplete fix of the CVE-2023-23924 bug (GitHub Advisory, Security Online).

The vulnerability stems from a difference in the attribute parser between Dompdf and php-svg-lib. The issue arises because while Dompdf respects xlink:href even if href is specified, php-svg-lib prioritizes the href attribute when both xlink:href and href are present. This discrepancy allows attackers to bypass protection on the Dompdf side by providing an empty xlink:href attribute. The vulnerability has been assigned a maximum CVSS3 Base Score of 10.0, indicating critical severity (GitHub Advisory).

When exploited, the vulnerability allows attackers to call arbitrary URLs with arbitrary protocols through SVG file manipulation. In PHP versions prior to 8.0.0, this can lead to arbitrary unserialization, potentially resulting in arbitrary file deletion and, depending on available classes, remote code execution (GitHub Advisory).

The vulnerability has been addressed in version 2.0.3 of the Dompdf library. Users are strongly advised to upgrade to this patched version to mitigate the security risk (Security Online).