Apryse HTML2PDF SDK Argument Injection Leading to Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the Apryse HTML2PDF SDK, affecting versions through 11.10. The issue arises in the InsertFromURL() function, where improper sanitization allows attackers to inject command-line arguments that are executed by the application. This vulnerability is exploitable on both Linux and Windows systems.

Impact

Exploitation of this vulnerability allows for arbitrary operating system command execution on the server where the Apryse HTML2PDF SDK is used.

Reproduction

To reproduce this vulnerability, use the InsertFromURL() function in the Apryse HTML2PDF module. Pass a crafted URL string that includes command-line arguments into the function. When the HTML is processed, the injected commands will be executed on the server. This can be verified by checking the application logs for the output of the executed command.

Remediation

The vendor has not acknowledged or addressed this vulnerability. However, it can be mitigated by sanitizing any data sent to the PDF conversion functions, ensuring that it cannot be interpreted as a command-line argument. If displaying HTML, use a trusted HTML sanitizer and apply output encoding where appropriate.