Reportlab 2.3

CPE Details

Reportlab 2.3
reportlab
reportlab
2.3
2021-07-15
16h31 +00:00
2021-07-16
15h38 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:reportlab:reportlab:2.3:*:*:*:*:*:*:*

Informations

Vendor

reportlab

Product

reportlab

Version

2.3

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2019-19450 2023-09-19 22h00 +00:00 paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '9.8
Critical
CVE-2023-33733 2023-06-04 22h00 +00:00 Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.
7.8
High
CVE-2020-28463 2021-02-18 16h00 +00:00 All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF
6.5
Medium
CVE-2019-17626 2019-10-16 09h29 +00:00 ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '9.8
Critical
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.