endroid/qr-code-bundle File Disclosure via logo_path query parameter

Versions of endroid/qr-code-bundle prior to 3.4.2 are affected by a security vulnerability that allows disclosure of files through the logopath query parameter. The vulnerability arises from the improper handling of non-image data as the logo, which could lead to unintended file disclosure...

Information Disclosure

endroid/qr-code is vulnerable to information disclosure. The logo is not validated to contain valid image data, allowing an attacker to specify a non-image data and retrieve data from non-image files...