spipu/html2pdf-v5.2.7: 5 vulnerabilities (highest severity is: 7.5) #604

mend-bolt-for-github · 2024-04-22T06:08:39Z

Vulnerable Library - spipu/html2pdf-v5.2.7

Html2Pdf is a HTML to PDF converter written in PHP5 (it uses TCPDF). OFFICIAL PACKAGE

Library home page: https://api.github.com/repos/spipu/html2pdf/zipball/b0f477711de3052041072897510e690975aa37ce

Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (spipu/html2pdf-v5.2.7 version)	Remediation Possible**
CVE-2024-22641	High	7.5	tecnickcom/tcpdf-6.6.2	Transitive	N/A*	❌
CVE-2024-22640	High	7.5	tecnickcom/tcpdf-6.6.2	Transitive	N/A*	❌
CVE-2024-51058	Medium	6.2	tecnickcom/tcpdf-6.6.2	Transitive	N/A*	❌
CVE-2023-39062	Medium	6.1	spipu/html2pdf-v5.2.7	Direct	v5.2.8	❌
CVE-2024-32489	Medium	5.3	tecnickcom/tcpdf-6.6.2	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-22641

Vulnerable Library - tecnickcom/tcpdf-6.6.2

TCPDF is a PHP class for generating PDF documents and barcodes.

Library home page: https://api.github.com/repos/tecnickcom/TCPDF/zipball/e3cffc9bcbc76e89e167e9eb0bbda0cab7518459

Dependency Hierarchy:

spipu/html2pdf-v5.2.7 (Root Library)
- ❌ tecnickcom/tcpdf-6.6.2 (Vulnerable Library)

Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd

Found in base branch: develop

Vulnerability Details

TCPDF version 6.6.5 and before is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted SVG file.

Publish Date: 2024-05-28

URL: CVE-2024-22641

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-22641

Release Date: 2024-05-28

Fix Resolution: tecnickcom/tcpdf - 6.7.5

Step up your Open Source Security Game with Mend here

CVE-2024-22640

Vulnerable Library - tecnickcom/tcpdf-6.6.2

TCPDF is a PHP class for generating PDF documents and barcodes.

Library home page: https://api.github.com/repos/tecnickcom/TCPDF/zipball/e3cffc9bcbc76e89e167e9eb0bbda0cab7518459

Dependency Hierarchy:

spipu/html2pdf-v5.2.7 (Root Library)
- ❌ tecnickcom/tcpdf-6.6.2 (Vulnerable Library)

Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd

Found in base branch: develop

Vulnerability Details

TCPDF version <=6.6.5 is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted HTML page with a crafted color.

Publish Date: 2024-04-19

URL: CVE-2024-22640

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-22640

Release Date: 2024-04-19

Fix Resolution: 6.7.5

Step up your Open Source Security Game with Mend here

CVE-2024-51058

Vulnerable Library - tecnickcom/tcpdf-6.6.2

TCPDF is a PHP class for generating PDF documents and barcodes.

Library home page: https://api.github.com/repos/tecnickcom/TCPDF/zipball/e3cffc9bcbc76e89e167e9eb0bbda0cab7518459

Dependency Hierarchy:

spipu/html2pdf-v5.2.7 (Root Library)
- ❌ tecnickcom/tcpdf-6.6.2 (Vulnerable Library)

Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd

Found in base branch: develop

Vulnerability Details

Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server's file system through src tag, potentially exposing sensitive information.

Publish Date: 2024-11-26

URL: CVE-2024-51058

CVSS 3 Score Details (6.2)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-51058

Release Date: 2024-11-26

Fix Resolution: 6.7.6

Step up your Open Source Security Game with Mend here

CVE-2023-39062

Vulnerable Library - spipu/html2pdf-v5.2.7

Html2Pdf is a HTML to PDF converter written in PHP5 (it uses TCPDF). OFFICIAL PACKAGE

Library home page: https://api.github.com/repos/spipu/html2pdf/zipball/b0f477711de3052041072897510e690975aa37ce

Dependency Hierarchy:

❌ spipu/html2pdf-v5.2.7 (Vulnerable Library)

Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd

Found in base branch: develop

Vulnerability Details

Cross Site Scripting vulnerability in Spipu HTML2PDF before v.5.2.8 allows a remote attacker to execute arbitrary code via a crafted script to the forms.php.

Publish Date: 2023-08-28

URL: CVE-2023-39062

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-08-28

Fix Resolution: v5.2.8

Step up your Open Source Security Game with Mend here

CVE-2024-32489

Vulnerable Library - tecnickcom/tcpdf-6.6.2

TCPDF is a PHP class for generating PDF documents and barcodes.

Library home page: https://api.github.com/repos/tecnickcom/TCPDF/zipball/e3cffc9bcbc76e89e167e9eb0bbda0cab7518459

Dependency Hierarchy:

spipu/html2pdf-v5.2.7 (Root Library)
- ❌ tecnickcom/tcpdf-6.6.2 (Vulnerable Library)

Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd

Found in base branch: develop

Vulnerability Details

TCPDF before 6.7.4 mishandles calls that use HTML syntax.

Publish Date: 2024-04-15

URL: CVE-2024-32489

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-32489

Release Date: 2024-04-15

Fix Resolution: 6.7.4

Step up your Open Source Security Game with Mend here

mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Apr 22, 2024

mend-bolt-for-github bot changed the title ~~spipu/html2pdf-v5.2.7: 2 vulnerabilities (highest severity is: 6.1)~~ spipu/html2pdf-v5.2.7: 3 vulnerabilities (highest severity is: 7.5) Apr 23, 2024

mend-bolt-for-github bot changed the title ~~spipu/html2pdf-v5.2.7: 3 vulnerabilities (highest severity is: 7.5)~~ spipu/html2pdf-v5.2.7: 4 vulnerabilities (highest severity is: 7.5) Aug 5, 2024

mend-bolt-for-github bot changed the title ~~spipu/html2pdf-v5.2.7: 4 vulnerabilities (highest severity is: 7.5)~~ spipu/html2pdf-v5.2.7: 5 vulnerabilities (highest severity is: 7.5) Nov 30, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

spipu/html2pdf-v5.2.7: 5 vulnerabilities (highest severity is: 7.5) #604

spipu/html2pdf-v5.2.7: 5 vulnerabilities (highest severity is: 7.5) #604

mend-bolt-for-github bot commented Apr 22, 2024 •

edited

Loading

Vulnerable Library - tecnickcom/tcpdf-6.6.2

Vulnerability Details

CVSS 3 Score Details (7.5)

Suggested Fix

Vulnerable Library - tecnickcom/tcpdf-6.6.2

Vulnerability Details

CVSS 3 Score Details (7.5)

Suggested Fix

Vulnerable Library - tecnickcom/tcpdf-6.6.2

Vulnerability Details

CVSS 3 Score Details (6.2)

Suggested Fix

Vulnerable Library - spipu/html2pdf-v5.2.7

Vulnerability Details

CVSS 3 Score Details (6.1)

Suggested Fix

Vulnerable Library - tecnickcom/tcpdf-6.6.2

Vulnerability Details

CVSS 3 Score Details (5.3)

Suggested Fix

spipu/html2pdf-v5.2.7: 5 vulnerabilities (highest severity is: 7.5) #604

spipu/html2pdf-v5.2.7: 5 vulnerabilities (highest severity is: 7.5) #604

Comments

mend-bolt-for-github bot commented Apr 22, 2024 • edited Loading

Vulnerabilities

Details

Vulnerable Library - tecnickcom/tcpdf-6.6.2

Vulnerability Details

CVSS 3 Score Details (7.5)

Suggested Fix

Vulnerable Library - tecnickcom/tcpdf-6.6.2

Vulnerability Details

CVSS 3 Score Details (7.5)

Suggested Fix

Vulnerable Library - tecnickcom/tcpdf-6.6.2

Vulnerability Details

CVSS 3 Score Details (6.2)

Suggested Fix

Vulnerable Library - spipu/html2pdf-v5.2.7

Vulnerability Details

CVSS 3 Score Details (6.1)

Suggested Fix

Vulnerable Library - tecnickcom/tcpdf-6.6.2

Vulnerability Details

CVSS 3 Score Details (5.3)

Suggested Fix

mend-bolt-for-github bot commented Apr 22, 2024 •

edited

Loading