CVSS: 9.8EPSS: 26%CPEs: 2EXPL: 2CVE-2018-17057 – LimeSurvey < 3.16 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-17057
An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper. Se ha descubierto un problema en TCPDF en versiones anteriores a la 6.2.22. Los atacantes pueden desencadenar la deserialización de datos arbitrarios mediante el wrapper phar: . TCPDF versions 6.2.19 and below suffer from a deserialization vulnerability that can allow for remote code execution. • https://www.exploit-db.com/exploits/46634 http://packetstormsecurity.com/files/152200/TCPDF-6.2.19-Deserialization-Remote-Code-Execution.html http://packetstormsecurity.com/files/152360/LimeSurvey-Deserialization-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2019/Mar/36 https://contao.org/en/news/security-vulnerability-cve-2018-17057.html https://github.com/LimeSurvey/LimeSurvey/commit/1cdd78d27697b3150bb44aaa7af1a81062a591a5 https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26ed • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6100
https://notcve.org/view.php?id=CVE-2017-6100
tcpdf before 6.2.0 uploads files from the server generating PDF-files to an external FTP. tcpdf en versiones anteriores a 6.2.0 carga archivos desde el servidor generando archivos PDF a un FTP externo. • http://www.openwall.com/lists/oss-security/2017/02/19/1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814030 https://sourceforge.net/p/tcpdf/bugs/1005 • CWE-668: Exposure of Resource to Wrong Sphere •