search

craftcms / commerce

Fully integrated ecommerce for Craft CMS.
https://craftcms.com/commerce
Other
218 stars 170 forks source link

[3.x]: Security vulnerability with DOMPDF < 2.0.2 ? #3153

Closed MattWilcox closed 1 year ago

MattWilcox commented 1 year ago

What happened?

We are currently seeing the following in Terminal after running composer update on systems running Composer ^2.4. Looks like Commerce 3 runs DOMPDF 1.x and only Commerce 4 is on the ^2.x branch?

Unsure how much of a genuine issue this is but wanted to flag it for review because "security vulnerabilities" and sites that take money aren't a confidence inspiring combination. Especially if one is an "SSR forgery" and another is "remote file inclusion".

Screenshot 2023-04-27 at 10 47 39

Craft CMS version

3.8.8

Craft Commerce version

3.4.20.1

PHP version

7.4

Operating system and version

No response

Database type and version

No response

Image driver and version

No response

Installed plugins and versions

No response

pdaleramirez commented 1 year ago

PR pending: https://github.com/craftcms/commerce/pull/3135

lukeholder commented 1 year ago

Commerce 3.4.21 is now out and requires Dompdf 2.0+

Thanks for reporting.