Security Risk: 
Critical
Vulnerability: 
Other
Affected Versions: 

CiviCRM versions 5.13.0 and earlier

Fixed Versions: 

CiviCRM version 5.13.4 and 5.7.6

Publication Date: 
Wednesday, May 15, 2019
Description: 

TCPDF converts HTML content to PDF. The library had vulnerabilities, including cross-site scripting and remote code execution. The library has now been upgraded to a fixed version.

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 

Jon Goldberg of Megaphone Technology Consulting for reporting the issue

Seamus Lee of Australian Greens for fixing the issue

References: 

security/core#53

CVE: 
CVE-2018-17057