Flaw in Popular PDF Creation Library Enabled Remote Code Execution

Polict, a cybersecurity researcher, found a new exploit in PHP that relies on deserialization to 'unpack' malicious code that can be remotely executed.  The original flaw was fixed in September of 2018, but Polict found another method using XSS to inject code and initiate the deserialization process.  He disclosed the flaw privately to the TCPDF developers in September 2018, and that flaw was fixed within a month.  Users of TCPDF are safe as long as they are using version 6.2.22 and above.

Relevant URL(s): https://nakedsecurity.sophos.com/2019/03/21/flaw-in-popular-pdf-creation-library-enabled-remote-code-execution/