CVE-2024-56527 – tecnickcom/tcpdf

Package

Manager: composer
Name: tecnickcom/tcpdf
Vulnerable Version: >=0 <6.8.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00543 pctl0.66758

Details

TCPDF missing character escape on error messages An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message.

Metadata

Created: 2024-12-27T06:30:48Z
Modified: 2024-12-27T21:07:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-qx95-cwh6-9mvq/GHSA-qx95-cwh6-9mvq.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-qx95-cwh6-9mvq
Finding: F008
Auto approve: 1