Tecnick Tcpdf vulnerabilities

CVE-2024-56521 [CRITICAL] CWE-295 CVE-2024-56521: An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOP An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely.

CVE-2024-56527 [HIGH] CWE-79 CVE-2024-56527: An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message.

CVE-2024-56522 [HIGH] CWE-843 CVE-2024-56522: An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) an An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) and does not use a constant-time function to compare TCPDF tag hashes.

CVE-2024-56519 [HIGH] CWE-79 CVE-2024-56519: An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family at An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute.

CVE-2024-56520 [HIGH] CVE-2024-56520: An issue was discovered in tc-lib-pdf-font before 2.6.4, as used in TCPDF before 6.8.0 and other pro An issue was discovered in tc-lib-pdf-font before 2.6.4, as used in TCPDF before 6.8.0 and other products. Fonts are mishandled, e.g., FontBBox for Type 1 and TrueType fonts is misparsed.

CVE-2018-17057 [CRITICAL] CWE-502 CVE-2018-17057: An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary d An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.