Tcpdf Project Tcpdf vulnerabilities

CVE-2024-56521 [CRITICAL] CWE-295 CVE-2024-56521: An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOP An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely.

CVE-2024-56520 [HIGH] CVE-2024-56520: An issue was discovered in tc-lib-pdf-font before 2 An issue was discovered in tc-lib-pdf-font before 2.6.4, as used in TCPDF before 6.8.0 and other products. Fonts are mishandled, e.g., FontBBox for Type 1 and TrueType fonts is misparsed.

CVE-2024-56527 [HIGH] CWE-79 CVE-2024-56527: An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message.

CVE-2024-56522 [HIGH] CWE-843 CVE-2024-56522: An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) an An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) and does not use a constant-time function to compare TCPDF tag hashes.

CVE-2024-56519 [HIGH] CWE-79 CVE-2024-56519: An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family at An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute.

CVE-2024-51058 [MEDIUM] CWE-552 CVE-2024-51058: Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enab Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server's file system through src tag, potentially exposing sensitive information.

CVE-2024-22641 [HIGH] CWE-434 CVE-2024-22641: TCPDF version 6.6.5 and before is vulnerable to ReDoS (Regular Expression Denial of Service) if pars TCPDF version 6.6.5 and before is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted SVG file.

CVE-2024-22640 [HIGH] CWE-1333 CVE-2024-22640: TCPDF version <=6.6.5 is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an un TCPDF version <=6.6.5 is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted HTML page with a crafted color.

CVE-2024-32489 [MEDIUM] CWE-80 CVE-2024-32489: TCPDF before 6.7.4 mishandles calls that use HTML syntax. TCPDF before 6.7.4 mishandles calls that use HTML syntax.

CVE-2018-17057 [CRITICAL] CVE-2018-17057: An issue was discovered in TCPDF before 6 An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.

CVE-2017-6100 [HIGH] CWE-668 CVE-2017-6100: tcpdf before 6.2.0 uploads files from the server generating PDF-files to an external FTP. tcpdf before 6.2.0 uploads files from the server generating PDF-files to an external FTP.