CVE-2019-19450 – python-reportlab: code injection in paraparser.py allows code execution
https://notcve.org/view.php?id=CVE-2019-19450
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626. paraparser en ReportLab anterior a 3.5.31 permite la ejecución remota de código porque start_unichar en paraparser.py evalúa la entrada de un usuario que no es de confianza en un elemento unichar en un documento XML manipulado con ' A code injection vulnerability was found in python-reportlab that may allow an attacker to execute code while parsing a unichar element attribute. An application that uses python-reportlab to parse untrusted input files may be vulnerable and could allow remote code execution. • https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHMCB2GJQKFMGVO5RWHN222NQL5XYPHZ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HADPTB3SBU7IVRMDK7OL6WSQRU5AFWDZ https://pastebin.com/5MicRrr4 https://access.redhat.com/security/cve/CVE-2019-19450 https://bugzilla.redhat.com/show_bug.cgi?id=2239920 • CWE-91: XML Injection (aka Blind XPath Injection) •
CVE-2023-33733
https://notcve.org/view.php?id=CVE-2023-33733
Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file. • https://github.com/L41KAA/CVE-2023-33733-Exploit-PoC https://github.com/c53elyas/CVE-2023-33733 https://github.com/buiduchoang24/CVE-2023-33733 https://github.com/hoangbui24/CVE-2023-33733 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36WOY22ECJCPOXHVTNCHEWOQLL7JSWP4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ALE727IRACYBTTOFIFG57RS4OA2SHIJ •
CVE-2020-28463 – Server-side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2020-28463
All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject <img src="http://127.0.0.1:5000" valign="top"/> 4. • https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMUJA5GZTPQ5WRYUCCK2GEZM4W43N7HH https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZQSFCID67K6BTC655EQY6MNOF35QI44 https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145 https://www.reportlab.com/docs/reportlab-userguide.pdf • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2019-17626 – python-reportlab: code injection in colors.py allows attacker to execute code
https://notcve.org/view.php?id=CVE-2019-17626
ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code. ReportLab versiones hasta 3.5.26, permite la ejecución de código remota debido a la función toColor(eval(arg)) en el archivo colors.py, como es demostrado por un documento XML diseñado con '(span color ="' seguido de un código arbitrario de Python. A code injection vulnerability in python-reportlab allows an attacker to execute code while parsing a color attribute. An application that uses python-reportlab to parse untrusted input files may be vulnerable to this flaw and allow remote code execution. • http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00002.html https://access.redhat.com/errata/RHSA-2020:0195 https://access.redhat.com/errata/RHSA-2020:0197 https://access.redhat.com/errata/RHSA-2020:0201 https://access.redhat.com/errata/RHSA-2020:0230 https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code https://bitbucket.org/rptlab/reportlab/src/default/CHANGES.md https://lists.debian.org/debian-lts-announce/2020/02/msg00019.html htt • CWE-91: XML Injection (aka Blind XPath Injection) CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •