本ページは reportlab reportlab に影響する公開済み CVE(NVD の CPE 経由で関連付け)を列挙します。各行に深刻度指標・概要・公開日が含まれます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2019-19450 | paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626. | [email protected] | 9.8 | 4.45% | 2023-09-20 | 2024-11-21 |
| CVE-2023-33733 | Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file. | [email protected] | 7.8 | 2.25% | 2023-06-05 | 2025-01-08 |
| CVE-2020-28463 | All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject <img src="http://127.0.0.1:5000" valign="top"/> 4. Create a nc listener nc -lp 5000 5. Run python3 dody | [email protected] | 6.5 | 1.49% | 2021-02-18 | 2024-11-21 |
| CVE-2019-17626 | ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code. | [email protected] | 9.8 | 10.23% | 2019-10-16 | 2024-11-21 |