CVE-2022-30351 — HIGH (7.5)

Vulnerability Description

PDFZorro PDFZorro Online r20220428 using TCPDF 6.2.5, despite having workflows claiming to correctly remove redacted information from a supplied PDF file, does not properly sanitize this information in all cases, causing redacted information, including images and text embedded in the PDF file, to be leaked unintentionally. In cases where PDF text objects are present it is possible to copy-paste redacted information into the system clipboard. Once a document is "locked" and marked for redaction once, all redactions performed after this feature is triggered are vulnerable.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Pdfzorro	Pdfzorro	r20220428

Related Weaknesses (CWE)

CWE-1116 CWE-116

References

https://arxiv.org/pdf/2206.02285.pdfThird Party Advisory
https://www.pdfzorro.com/pdf-edit/Product
https://arxiv.org/pdf/2206.02285.pdfThird Party Advisory
https://www.pdfzorro.com/pdf-edit/Product

FAQ

What is CVE-2022-30351?

CVE-2022-30351 is a vulnerability with a CVSS score of 7.5 (HIGH). PDFZorro PDFZorro Online r20220428 using TCPDF 6.2.5, despite having workflows claiming to correctly remove redacted information from a supplied PDF file, does not properly sanitize this information i...

How severe is CVE-2022-30351?

CVE-2022-30351 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-30351?

Check the references section above for vendor advisories and patch information. Affected products include: Pdfzorro Pdfzorro.