CVE-2023-27565

Abstract Advisory Information

The PDF engine allow loading local or remote content using specific HTML class of tags.

Author: Dominique RIGHETTO

Version affected

Name: PD4ML java library

Versions: 4.0.15fx1

Common Vulnerability Scoring System

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Patches

None

References

• https://pd4ml.com/

Vulnerability Disclosure Timeline

• 07/12/2022: Vulnerability discovery
• 08/12/2022: Vulnerability Report to CERT-XLM
• 09/12/2022: Vulnerability Report to Vendor through form
• 09/12/2022: Vendor replied, Vulnerability Report sent
• 09/12/2022: There is nothing to fix from Vendor perspective
• 16/12/2022: Send e-mail to vendor again to press on them. The vendor recognizes the vulnerability.
• 20/12/2022: Send e-mail to vendor to set up a technical meeting
• 23/12/2022: Send e-mail to vendor to set up a technical meeting
• 06/01/2023: Informed vendor of an update in the advisory
• 09/01/2023: Meeting held to discuss the technicalities.
• 09/01/2023: Message sent to the vendor to say that we will start our usual publication process
• 03/03/2023: Request CVE ID to Mitre
• 03/03/2023: CVE IDs assigned Use CVE-2023-27565
• 17/03/2023: Public disclosure by Excellium Services