Project: Printer, email and PDF versions
Security risk: *Highly critical* 20∕25
Vulnerability: Remote Code Execution
This module provides printer-friendly versions of content, including send by
e-mail and PDF versions.
The module doesn't sufficiently sanitize the arguments passed to the
wkhtmltopdf executable, allowing a remote attacker to execute arbitrary shell
commands. It also doesn't sufficiently sanitize the HTML content passed to
dompdf, allowing a privileged attacker to execute arbitrary PHP code.
This vulnerability is mitigated by the fact that the site must have either
the wkhtmltopdf or dompdf sub-modules enabled and selected as the PDF
generation tool. In the case of the dompdf vulnerability, the attacker must
be able to write content to the site.
Install the latest version:
* If you use the print module for Drupal 7.x, upgrade to print 7.x-2.1
In alternative, disable PDF generation, or replace the PDF generation library
with another of the supported versions.
Also see the Printer, email and PDF project page.