Forum: >>> Magnum BBS <<<

Bug#1104702: php-horde-css-parser: CVE-2020-13756 (in embeded Sabberwor

From Salvatore Bonaccorso@21:1/5 to All on Sun May 4 23:30:01 2025

Source: php-horde-css-parser
Version: 1.0.11-8
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for php-horde-css-parser.

CVE-2020-13756[0]:
| Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled
| data, possibly leading to remote code execution if the function
| allSelectors() or getSelectorsBySpecificity() is called with input
| from an attacker.

php-horde-css-parser embeds Sabberworm CSS Parser, affected by
CVE-2020-13756.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-13756
https://www.cve.org/CVERecord?id=CVE-2020-13756
[1] https://github.com/MyIntervals/PHP-CSS-Parser/commit/2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	482
Nodes:	16 (2 / 14)
Uptime:	57:02:04
Calls:	9,566
Files:	13,661
Messages:	6,142,959