CVE-2024-56519: 
PHP vulnerability analysis and mitigation

An issue was discovered in TCPDF before version 6.8.0 where the setSVGStyles function does not properly sanitize the SVG font-family attribute (NVD, Debian Tracker). The vulnerability was disclosed on December 27, 2024, and affects multiple versions of the TCPDF library, which is widely used for generating PDF documents in PHP applications.

The vulnerability exists in the setSVGStyles function of TCPDF, where the SVG font-family attribute is not properly sanitized before processing. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a high-severity vulnerability that can be exploited remotely without requiring privileges or user interaction (NVD). The vulnerability has been classified as CWE-79, which refers to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

The vulnerability primarily affects the confidentiality of the system, as indicated by the CVSS score metrics showing high impact on confidentiality (C:H) while having no impact on integrity (I:N) and availability (A:N) (NVD).

The vulnerability has been fixed in TCPDF version 6.8.0. The fix involves proper sanitization of the font-family attribute in the setSVGStyles function (GitHub Commit). Users are advised to upgrade to version 6.8.0 or later to address this security issue.