Packagist (Composer) package
tecnickcom/tcpdf
pkg:composer/tecnickcom/tcpdf
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-56527 | — | < 6.8.0 | 6.8.0 | Dec 27, 2024 | An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message. | ||
| CVE-2024-56522 | — | < 6.8.0 | 6.8.0 | Dec 27, 2024 | An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) and does not use a constant-time function to compare TCPDF tag hashes. | ||
| CVE-2024-56521 | — | < 6.8.0 | 6.8.0 | Dec 27, 2024 | An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely. | ||
| CVE-2024-56519 | — | < 6.8.0 | 6.8.0 | Dec 27, 2024 | An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute. | ||
| CVE-2024-51058 | — | < 6.7.6 | 6.7.6 | Nov 26, 2024 | Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server's file system through src tag, potentially exposing sensitive information. | ||
| CVE-2024-22640 | — | < 6.7.5 | 6.7.5 | Apr 19, 2024 | TCPDF version <=6.6.5 is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted HTML page with a crafted color. | ||
| CVE-2024-32489 | — | < 6.7.4 | 6.7.4 | Apr 15, 2024 | TCPDF before 6.7.4 mishandles calls that use HTML syntax. | ||
| CVE-2018-17057 | — | < 6.2.22 | 6.2.22 | Sep 14, 2018 | An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper. |
- CVE-2024-56527Dec 27, 2024affected < 6.8.0fixed 6.8.0
An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message.
- CVE-2024-56522Dec 27, 2024affected < 6.8.0fixed 6.8.0
An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) and does not use a constant-time function to compare TCPDF tag hashes.
- CVE-2024-56521Dec 27, 2024affected < 6.8.0fixed 6.8.0
An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely.
- CVE-2024-56519Dec 27, 2024affected < 6.8.0fixed 6.8.0
An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute.
- CVE-2024-51058Nov 26, 2024affected < 6.7.6fixed 6.7.6
Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server's file system through src tag, potentially exposing sensitive information.
- CVE-2024-22640Apr 19, 2024affected < 6.7.5fixed 6.7.5
TCPDF version <=6.6.5 is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted HTML page with a crafted color.
- CVE-2024-32489Apr 15, 2024affected < 6.7.4fixed 6.7.4
TCPDF before 6.7.4 mishandles calls that use HTML syntax.
- CVE-2018-17057Sep 14, 2018affected < 6.2.22fixed 6.2.22
An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.