CVE-2024-3248915.04.2024, 06:15TCPDF before 6.7.4 mishandles calls that use HTML syntax.Basic XSSEnginsightProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVectorNISTNIST6.1 MEDIUMNETWORKLOWNONECVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NmitreCNA------CVEADP------CISA-ADPADP6.1 MEDIUMNETWORKLOWNONECVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NBase ScoreCVSS 3.xEPSS ScorePercentile: 56%VendorProductVersiontcpdf_projecttcpdf𝑥< 6.7.4𝑥= Vulnerable software versionsDebian ReleasesDebian ProductCodenametcpdfbullseyeno-dsabookwormno-dsasid6.9.1+dfsg-1fixedtrixie6.9.1+dfsg-1fixedUbuntu ReleasesUbuntu ProductCodenametcpdfpluckynot-affectedoracularnot-affectednoblenot-affectedmanticignoredjammyneeds-triagefocalneeds-triagebionicneeds-triagexenialneeds-triagetrustyneeds-triageCommon Weakness EnumerationCWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.Referenceshttps://github.com/tecnickcom/TCPDF/commit/51cd1b39de5643836e62661d162c472d63167df7https://github.com/tecnickcom/TCPDF/commit/82fc97bf1c74c8dbe62b1d3cc6d10fa4b87e0262https://github.com/tecnickcom/TCPDF/compare/6.6.2...6.7.4https://github.com/tecnickcom/TCPDF/commit/51cd1b39de5643836e62661d162c472d63167df7https://github.com/tecnickcom/TCPDF/commit/82fc97bf1c74c8dbe62b1d3cc6d10fa4b87e0262https://github.com/tecnickcom/TCPDF/compare/6.6.2...6.7.4
