CVE-2024-32489
published 2024-04-15CVE-2024-32489: TCPDF before 6.7.4 mishandles calls that use HTML syntax.
PriorityP425medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.58%
43.4th percentile
TCPDF before 6.7.4 mishandles calls that use HTML syntax.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tcpdf | < tcpdf 6.6.2+dfsg1-1+deb12u1 (bookworm) | tcpdf 6.6.2+dfsg1-1+deb12u1 (bookworm) |
| tcpdf_project | tcpdf | < 6.7.4 | 6.7.4 |
| tcpdf_project | tcpdf | >= 0 < 6.3.5+dfsg1-1+deb11u1 | 6.3.5+dfsg1-1+deb11u1 |
| tcpdf_project | tcpdf | >= 0 < 6.6.2+dfsg1-1+deb12u1 | 6.6.2+dfsg1-1+deb12u1 |
| tcpdf_project | tcpdf | >= 0 < 6.7.4+dfsg-1 | 6.7.4+dfsg-1 |
| tcpdf_project | tcpdf | >= 0 < 6.7.4+dfsg-1 | 6.7.4+dfsg-1 |
| tecnickcom | tcpdf | >= 0 < 6.7.4 | 6.7.4 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-32489: TCPDF before 6
osv·2024-04-15·CVSS 6.1
CVE-2024-32489 [MEDIUM] CVE-2024-32489: TCPDF before 6
TCPDF before 6.7.4 mishandles calls that use HTML syntax.
GHSA
TCPDF Cross-site Scripting vulnerability
ghsa·2024-04-15
CVE-2024-32489 [MEDIUM] CWE-79 TCPDF Cross-site Scripting vulnerability
TCPDF Cross-site Scripting vulnerability
TCPDF before 6.7.4 mishandles calls that use HTML syntax.
OSV
TCPDF Cross-site Scripting vulnerability
osv·2024-04-15
CVE-2024-32489 [MEDIUM] TCPDF Cross-site Scripting vulnerability
TCPDF Cross-site Scripting vulnerability
TCPDF before 6.7.4 mishandles calls that use HTML syntax.
Debian
CVE-2024-32489: tcpdf - TCPDF before 6.7.4 mishandles calls that use HTML syntax.
vendor_debian·2024·CVSS 6.1
CVE-2024-32489 [MEDIUM] CVE-2024-32489: tcpdf - TCPDF before 6.7.4 mishandles calls that use HTML syntax.
TCPDF before 6.7.4 mishandles calls that use HTML syntax.
Scope: local
bookworm: resolved (fixed in 6.6.2+dfsg1-1+deb12u1)
bullseye: resolved (fixed in 6.3.5+dfsg1-1+deb11u1)
forky: resolved (fixed in 6.7.4+dfsg-1)
sid: resolved (fixed in 6.7.4+dfsg-1)
trixie: resolved (fixed in 6.7.4+dfsg-1)
No detection rules found.
No public exploits indexed.
https://github.com/tecnickcom/TCPDF/commit/51cd1b39de5643836e62661d162c472d63167df7https://github.com/tecnickcom/TCPDF/commit/82fc97bf1c74c8dbe62b1d3cc6d10fa4b87e0262https://github.com/tecnickcom/TCPDF/compare/6.6.2...6.7.4https://github.com/tecnickcom/TCPDF/commit/51cd1b39de5643836e62661d162c472d63167df7https://github.com/tecnickcom/TCPDF/commit/82fc97bf1c74c8dbe62b1d3cc6d10fa4b87e0262https://github.com/tecnickcom/TCPDF/compare/6.6.2...6.7.4https://lists.debian.org/debian-lts-announce/2025/06/msg00004.html
2024-04-15
Published