CVSS: 10.0EPSS: 7%CPEs: 2EXPL: 0CVE-2019-19450 – python-reportlab: code injection in paraparser.py allows code execution
https://notcve.org/view.php?id=CVE-2019-19450
20 Sep 2023 — paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with ' https://notcve.org/view.php?id=CVE-2023-33733 05 Jun 2023 — Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file. Elyas Damej discovered that a sandbox mechanism in ReportLab, a Python library to create PDF documents, could be bypassed which may result in the execution of arbitrary code when converting malformed HTML to a PDF document. • https://github.com/L41KAA/CVE-2023-33733-Exploit-PoC • CWE-94: Improper Control of Generation of Code ('Code Injection') • CVSS: 7.8EPSS: 19%CPEs: 1EXPL: 5CVE-2023-33733 – Ubuntu Security Notice USN-6196-1
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2020-28463 – Server-side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2020-28463
18 Feb 2021 — All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject <img src="http://127.0.0.1:5000" valign="top"/> 4. • https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 36%CPEs: 1EXPL: 1CVE-2019-17626 – python-reportlab: code injection in colors.py allows attacker to execute code
https://notcve.org/view.php?id=CVE-2019-17626
16 Oct 2019 — ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '