Security Issue in TCPDF's SVG Font Handling
CVE-2024-56519

7.5HIGH

Key Information:

Vendor: Tecnick
Status: TcPDF
Vendor: CVE Published:; 27 December 2024

What is CVE-2024-56519?

A security flaw has been identified in earlier versions of TCPDF, specifically affecting the functionality of the setSVGStyles method. This vulnerability arises from the failure to adequately sanitize the SVG font-family attribute, which could potentially lead to various security risks. Developers using versions prior to 6.8.0 must be aware of this issue and consider upgrading to the latest release to ensure proper protection against possible exploits. For further details, refer to the official GitHub repository and documentation for TCPDF.

Affected Version(s)

tcpdf 0 < 6.8.0

References

https://github.com/tecnickcom/TCPDF/commit/c9f41cbb84880b...

https://tcpdf.org

https://github.com/tecnickcom/TCPDF/compare/6.7.8...6.8.0

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 27, 2024
Vulnerability Reserved
Dec 27, 2024

JSON

Tecnick

What is CVE-2024-56519?

Affected Version(s)

References

CVSS V3.1

Timeline