#VU102263 Incorrect comparison in TCPDF - CVE-2024-56522

Cybersecurity Help s.r.o.

Published: 2024-12-30

Vulnerability identifier: #VU102263

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-56522

CWE-ID: CWE-697

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
TCPDF
Web applications / Other software

Vendor: Nicola Asuni

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to incorrect comparison in unserializeTCPDFtag when processing TCPDF tag hashes. A remote attacker can bypass certain security restrictions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

TCPDF: 6.0.0 - 6.7.8

External links
https://github.com/tecnickcom/TCPDF/commit/d54b97cec33f4f1a5ad81119a82085cad93cec89
https://github.com/advisories/GHSA-w95c-7994-ghpr

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora 40 update for phpMyAdmin

Fedora 41 update for phpMyAdmin

Fedora 41 update for php-tcpdf

Fedora 40 update for php-tcpdf

Multiple vulnerabilities in TCPDF