CVE-2024-56519Cross-site Scripting in Tcpdf

CWE-79Cross-site Scripting6 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 74.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Tecnick TcpdfTcpdf Project TcpdfTecnickcom Tcpdf
Timeline
PublishedDec 27

Description

An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

CVEListV5tecnick/tcpdf< 6.8.0
Packagisttecnickcom/tcpdf< 6.8.0
NVDtcpdf_project/tcpdf< 6.8.0
Debiantcpdf_project/tcpdf< 6.3.5+dfsg1-1+deb11u1+3

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
TCPDF lacks SVG sanitization2024-12-27
GHSA
TCPDF lacks SVG sanitization2024-12-27
CVEList
CVE-2024-56519: An issue was discovered in TCPDF before 62024-12-27
OSV
CVE-2024-56519: An issue was discovered in TCPDF before 62024-12-27

📋Vendor Advisories

1
Debian
CVE-2024-56519: tcpdf - An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize th...2024
CVE-2024-56519 — Cross-site Scripting in Tecnick Tcpdf | cvebase