CVE-2020-13756

NameCVE-2020-13756
DescriptionSabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1104702

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-horde-css-parser (PTS)sid, bookworm, bullseye1.0.11-8vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-horde-css-parsersource(unstable)(unfixed)1104702

Notes

[bookworm] - php-horde-css-parser <ignored> (Horde is non-functional in Bookworm)
https://github.com/MyIntervals/PHP-CSS-Parser/commit/2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4
php-horde-css-parser embeds Sabberworm CSS Parser
Search for package or bug name: Reporting problems