| Package | php-horde-css-parser |
|---|---|
| Version | 1.0.11-3+deb10u1 (buster) |
| Related CVEs | CVE-2020-13756 |
Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.
The php-horde-css-parser package bundles the Saberworm PHP CSS Parser code and is thus also vulnerable.
For Debian 10 buster, these problems have been fixed in version 1.0.11-3+deb10u1.
We recommend that you upgrade your php-horde-css-parser packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.