PyPI package
reportlab
pkg:pypi/reportlab
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-19450 | — | < 3.5.31 | 3.5.31 | Sep 20, 2023 | paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626. | ||
| CVE-2023-33733 | — | < 3.6.13 | 3.6.13 | Jun 5, 2023 | Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file. | ||
| CVE-2020-28463 | — | < 3.5.55 | 3.5.55 | Feb 18, 2021 | All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of repo | ||
| CVE-2019-17626 | — | < 3.5.28 | 3.5.28 | Oct 16, 2019 | ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code. |
- CVE-2019-19450Sep 20, 2023affected < 3.5.31fixed 3.5.31
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.
- CVE-2023-33733Jun 5, 2023affected < 3.6.13fixed 3.6.13
Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.
- CVE-2020-28463Feb 18, 2021affected < 3.5.55fixed 3.5.55
All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of repo
- CVE-2019-17626Oct 16, 2019affected < 3.5.28fixed 3.5.28
ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.