Tecnickcom Tcpdf vulnerabilities

8 known vulnerabilities affecting tecnickcom/tcpdf.

Total CVEs
8
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2024-56521HIGH≥ 0, < 6.8.02024-12-27
CVE-2024-56521 [HIGH] CWE-295 TCPDF missing certificate validation TCPDF missing certificate validation An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely.
ghsaosv
CVE-2024-56522HIGH≥ 0, < 6.8.02024-12-27
CVE-2024-56522 [HIGH] CWE-697 TCPDF has incorrect comparison TCPDF has incorrect comparison An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) and does not use a constant-time function to compare TCPDF tag hashes.
ghsaosv
CVE-2024-56519MEDIUM≥ 0, < 6.8.02024-12-27
CVE-2024-56519 [MEDIUM] CWE-79 TCPDF lacks SVG sanitization TCPDF lacks SVG sanitization An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute.
ghsaosv
CVE-2024-56527MEDIUM≥ 0, < 6.8.02024-12-27
CVE-2024-56527 [MEDIUM] CWE-79 TCPDF missing character escape on error messages TCPDF missing character escape on error messages An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message.
ghsaosv
CVE-2024-51058MEDIUM≥ 0, < 6.7.62024-11-26
CVE-2024-51058 [MEDIUM] CWE-552 TCPDF Local File Inclusion vulnerability TCPDF Local File Inclusion vulnerability Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server's file system through src tag, potentially exposing sensitive information.
ghsaosv
CVE-2024-22640MEDIUM≥ 0, < 6.7.52024-04-19
CVE-2024-22640 [MEDIUM] CWE-1333 TCPDF vulnerable to Regular Expression Denial of Service TCPDF vulnerable to Regular Expression Denial of Service TCPDF version <= 6.7.4 is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted HTML page with a crafted color.
ghsaosv
CVE-2024-32489MEDIUM≥ 0, < 6.7.42024-04-15
CVE-2024-32489 [MEDIUM] CWE-79 TCPDF Cross-site Scripting vulnerability TCPDF Cross-site Scripting vulnerability TCPDF before 6.7.4 mishandles calls that use HTML syntax.
ghsaosv
CVE-2018-17057CRITICALPoC≥ 0, < 6.2.222022-10-06
CVE-2018-17057 [CRITICAL] CWE-502 TCPDF vulnerable to attackers triggering deserialization of arbitrary data TCPDF vulnerable to attackers triggering deserialization of arbitrary data An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the `phar://` wrapper.
ghsaosv