CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
96.8%
Date: 2018-09-18 CVE ID: CVE-2018-17057
Description
CVE-2018-17057 identifies a security vulnerability in TCPDF, which also affects Contao. Through a manipulated image file, a logged in back end user can implant arbitrary code which is executed when an article is exported as PDF in the front end.
The vulnerability has been fixed in TCPDF 6.2.22.
Affected versions
Contao 3.* up to 3.5.35
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4 up to 4.4.34
Contao 4.5
Contao 4.6 up to 4.6.3
Suggested solution
Update to TCPDF 6.2.22 or Contao 3.5.36, 4.4.25 or 4.6.4.
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
96.8%