-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| tecnickcom/tcpdf | composer | <= 6.7.5 | 6.7.6 |
Miggo AIRoot Cause AnalysisThe vulnerability was patched by adding a check for '../' in image sources within the openHTMLTagHandler method (commit bfa7d2b). The pre-patch code in tcpdf.php lines 19059-19065 lacked validation for directory traversal sequences when processing local file paths via 'file://' protocol and HTML image sources. This method handles image embedding logic and was missing path normalization/restriction, making it the entry point for LFI via crafted <img> tags.