CVE-2024-56527Cross-site Scripting in Tcpdf

CWE-79Cross-site Scripting6 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.3%
top 42.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Tecnick TcpdfTcpdf Project TcpdfTecnickcom Tcpdf
Timeline
PublishedDec 27

Description

An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

CVEListV5tecnick/tcpdf< 6.8.0
Packagisttecnickcom/tcpdf< 6.8.0
NVDtcpdf_project/tcpdf< 6.8.0
Debiantcpdf_project/tcpdf< 6.3.5+dfsg1-1+deb11u1+3

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
CVE-2024-56527: An issue was discovered in TCPDF before 62024-12-27
CVEList
CVE-2024-56527: An issue was discovered in TCPDF before 62024-12-27
GHSA
TCPDF missing character escape on error messages2024-12-27
OSV
TCPDF missing character escape on error messages2024-12-27

📋Vendor Advisories

1
Debian
CVE-2024-56527: tcpdf - An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmls...2024
CVE-2024-56527 — Cross-site Scripting in Tecnick Tcpdf | cvebase