{"vulnerability": "cve-2022-28368", "sightings": [{"uuid": "9ec2219d-8bf6-4e66-b3bb-7cfd68b2e81a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-28368", "type": "published-proof-of-concept", "source": "Telegram/NK5whMDdXVt7SbkdiM1ZUZppAH_919v1yw_tRRhT6XXw02Y", "content": "", "creation_timestamp": "2023-02-24T12:51:36.000000Z"}, {"uuid": "2aeac83c-bfe4-4c28-a97c-d065ffaeff61", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-28368", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/6454", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01 \n\n\u66f4\u65b0\u4e86\uff1aRCE\n\u63cf\u8ff0\uff1aDompdf RCE PoC Exploit - CVE-2022-28368\nURL\uff1ahttps://github.com/rvizx/CVE-2022-28368\n\n\u6807\u7b7e\uff1a#RCE", "creation_timestamp": "2024-01-19T04:40:19.000000Z"}, {"uuid": "1b6c7b16-5403-4c3e-a248-983af9a8763b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-28368", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/7755", "content": "#exploit\n1. CVE-2022-28368:\nDompdf <1.2.1 - RCE\nhttps://github.com/rvizx/CVE-2022-28368\n\n2. Exploiting a remote heap overflow with a custom TCP stack\nhttps://www.synacktiv.com/publications/exploiting-a-remote-heap-overflow-with-a-custom-tcp-stack.html", "creation_timestamp": "2023-02-15T11:03:01.000000Z"}, {"uuid": "0a91ee01-845d-4717-94d7-8a247a01c5f7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-28368", "type": "published-proof-of-concept", "source": "https://t.me/dilagrafie/2321", "content": "#Tools\u00a0 \ud83d\udee0\ufe0f \ud835\udddb\ud835\uddee\ud835\uddf0\ud835\uddf8\ud835\uddf2\ud835\uddff\ud835\ude00 \ud835\uddd9\ud835\uddee\ud835\uddf0\ud835\ude01\ud835\uddfc\ud835\uddff\ud835\ude06\n\n\u200b\u200bCybersecurity Career Path\n\nhttps://github.com/rezaduty/cybersecurity-career-path\n\n\u200b\u200bCVE-2022-28368 - Dompdf RCE\n\nDompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).\n\nhttps://github.com/rvizx/CVE-2022-28368\n\n#cve #poc\n\n\u200b\u200bAwesome Network Security\n\nA collection of awesome resources, tools, and other shiny things for Network Security.\n\nhttps://github.com/SubediBibek-cmd/awesome-network-security\n\n\u200b\u200bInject\n\nPacket crafting, injection and sniffing tool.\n\nhttps://github.com/fksvs/inject\n\n#pentesting #redteam\n\n\u200b\u200bWeb Application Cheatsheet (Vulnhub)\n\nThis cheatsheet is intended for CTF participants and beginners to help them understand web application vulnerability through examples. There are multiple ways to perform the same task. We have performed and compiled this list based on our experience.\n\nhttps://github.com/Ignitetechnologies/Web-Application-Cheatsheet\n\n\u200b\u200bCalico\n\nCalico is a widely adopted, battle-tested open source networking and network security solution for Kubernetes, virtual machines, and bare-metal workloads. Calico provides two major services for Cloud Native applications:\n\n\u25ab\ufe0f Network connectivity between workloads.\n\u25ab\ufe0f Network security policy enforcement between workloads.\n\nhttps://github.com/projectcalico/calico\n\n\u200b\u200bfofax\n\nfofax is a fofa query tool written in go, positioned as a command-line tool and characterized by simplicity and speed. \n\nThe following features are currently available:\n\u25ab\ufe0f Basic FOFA syntax queries\n\u25ab\ufe0f Icon Hash local/online calculation query\n\u25ab\ufe0f Asset filtering\n\u25ab\ufe0f Opening in browser\n\u25ab\ufe0f Linking other security tools\n\u25ab\ufe0f More (waiting for your feedback after using)\n\nIn addition to this it is possible to customize fx syntax queries, and users can write their own specific fx query rules via a configuration file in yaml format.\n\nhttps://github.com/xiecat/fofax\n\n\u200b\u200btls-scan\n\nAn Internet scale, blazing fast SSL/TLS scanner ( non-blocking, event-driven )\n\nA program to scan TLS based servers and collect X.509 certificates, ciphers and related information. It produces results in JSON format. tls-scan is a single threaded asynchronous/event-based program (powered by libevent) capable of concurrently scan thousands of TLS servers. It can be combined with other tools such as GNU parallel to vertically scale in multi-core machines.\n\nhttps://github.com/prbinu/tls-scan\n\n\u200b\u200bosinttools\n\nA collection of random #OSINT files.\n\nhttps://github.com/WebBreacher/osinttools\n\n\u200b\u200bdexios\n\nA secure file encryption utility, written in Rust.\n\nDexios will continue to receive updates. Things are stable for the time being and I consider none of the code broken. In the (somewhat) near future I plan to change the backend entirely and give the CLI a re-write, so that things are both easier to maintain and understand. This will regrettably not be backwards-compatible, but the performance improvements and stability guarantees will be extremely worthwhile.\n\nhttps://github.com/brxken128/dexios\n\nBTC:\nbc1q62lwma4r3w3klq4mcn5hys9nps5h40qmafrc8e\n\n#Tools\u00a0 \ud83d\udee0\ufe0f \ud835\udddb\ud835\uddee\ud835\uddf0\ud835\uddf8\ud835\uddf2\ud835\uddff\ud835\ude00 \ud835\uddd9\ud835\uddee\ud835\uddf0\ud835\ude01\ud835\uddfc\ud835\uddff\ud835\ude06\nwww.ghostclan.org", "creation_timestamp": "2023-02-23T08:39:34.000000Z"}, {"uuid": "5cce7d9b-b108-4afe-bd82-31a55056613f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-28368", "type": "seen", "source": "https://t.me/cibsecurity/40068", "content": "\u203c CVE-2022-28368 \u203c\n\nDompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-04-03T07:21:14.000000Z"}, {"uuid": "d8e6888a-a85b-4d8f-9ee4-89ec4b71a144", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-28368", "type": "published-proof-of-concept", "source": "Telegram/WQpEVimxGvooSSUaCrA0t8uAyFoTwTeQ6cCn5gu5Byz3iRM", "content": "", "creation_timestamp": "2023-02-15T07:32:16.000000Z"}, {"uuid": "aef50ffa-084b-489f-a9d8-dec63c5f3bd9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-28368", "type": "seen", "source": "Telegram/pekQneQSghJS9ruSll4_086gjVL0B0HejJCeE2Ffiq4w67c", "content": "", "creation_timestamp": "2026-05-21T23:00:10.000000Z"}, {"uuid": "38eae907-528c-44bd-8a63-f4192eabf78d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-28368", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/dompdf_rce_cve_2022_28368.rb", "content": "{\"aliases\": [], \"arch\": \"php\", \"author\": [\"Maximilian Kirchmeier\", \"Fabian Br\\u00e4unlein\", \"rvizx\", \"msutovsky-r7\", \"Adithya Pawar\"], \"autofilter_ports\": [80, 8080, 443, 8000, 8888, 8880, 8008, 3000, 8443], \"autofilter_services\": [\"http\", \"https\"], \"check\": true, \"default_credential\": false, \"description\": \"This module exploits CVE-2022-28368, a Remote Code Execution vulnerability\\n          in dompdf versions prior to 1.2.1. The vulnerability exists because dompdf\\n          preserves the original file extension when caching fonts downloaded via CSS\\n          @font-face rules. By pointing a @font-face src to a .php file containing a\\n          valid TrueType font header with embedded PHP code, the file is saved in the\\n          dompdf font cache (lib/fonts/) with its .php extension intact. The cached\\n          file can then be executed by directly requesting it from the web server.\\n\\n          For dompdf versions <= 0.8.5, remote font loading works regardless of the\\n          $isRemoteEnabled setting. For versions 0.8.6 through 1.2.0, the\\n          $isRemoteEnabled option must be set to true.\\n\\n          This module requires the ability to inject HTML/CSS into the data processed\\n          by dompdf (e.g., via an XSS, a user-controlled form field, or a direct\\n          parameter) and that the dompdf font cache directory is web-accessible.\", \"disclosure_date\": \"2022-04-05\", \"fullname\": \"exploit/multi/http/dompdf_rce_cve_2022_28368\", \"is_install_path\": true, \"mod_time\": \"2026-05-20 15:50:16 +0000\", \"name\": \"Dompdf RCE via Malicious Font Caching (CVE-2022-28368)\", \"needs_cleanup\": true, \"notes\": {\"Reliability\": [\"repeatable-session\"], \"SideEffects\": [\"artifacts-on-disk\", \"ioc-in-logs\"], \"Stability\": [\"crash-safe\"]}, \"path\": \"/modules/exploits/multi/http/dompdf_rce_cve_2022_28368.rb\", \"platform\": \"PHP\", \"post_auth\": false, \"rank\": 600, \"ref_name\": \"multi/http/dompdf_rce_cve_2022_28368\", \"references\": [\"CVE-2022-28368\", \"GHSA-56gj-mvh6-rp75\", \"URL-https://positive.security/blog/dompdf-rce\", \"URL-https://github.com/rvizx/CVE-2022-28368\"], \"rport\": 80, \"session_types\": false, \"targets\": [\"PHP\"], \"type\": \"exploit\"}", "creation_timestamp": "2026-05-21T04:46:43.000000Z"}]}