CVE-2020-13756

Published: Jun 3, 2020Modified: Nov 3, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.

Affected (1)

Products: Sabberworm: Php Css Parser

Sabberworm

1 product

Php Css Parser

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Sabberworm Php Css Parser	Before 8.3.1

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (9)

http://packetstormsecurity.com/files/157923/Sabberworm-PHP-CSS-Code-Injection.html

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2020/Jun/7

Source: cve@mitre.org

ExploitMailing ListThird Party Advisory

https://github.com/sabberworm/PHP-CSS-Parser/commit/2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/sabberworm/PHP-CSS-Parser/releases/tag/8.3.1

Source: cve@mitre.org

Release NotesThird Party Advisory

http://packetstormsecurity.com/files/157923/Sabberworm-PHP-CSS-Code-Injection.html