CIVI-SA-2019-10: TCPDF XSS and RCE vulerabilities

Publicado
2019-05-15 09:00
Written by

TCPDF converts HTML content to PDF. The library had vulnerabilities, including cross-site scripting and remote code execution. The library has now been upgraded to a fixed version.

Security Risk
Critical
Vulnerability
Other
Affected Versions

CiviCRM versions 5.13.0 and earlier

Fixed Versions

CiviCRM version 5.13.4 and 5.7.6

Solutions

Upgrade to the latest version of CiviCRM

Credits

Jon Goldberg of Megaphone Technology Consulting for reporting the issue

Seamus Lee of Australian Greens for fixing the issue

References

security/core#53

CVE
CVE-2018-17057