Aggregates CVE and security vulnerability intelligence across all reportlab-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk ssrf and related security problems, affecting vendor surface software deployment and vendor surface production workloads scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2019-19450 | paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626. | [email protected] | 9.8 | 9.48% | 2023-09-20 | 2024-11-21 |
| CVE-2023-33733 | Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file. | [email protected] | 7.8 | 30.23% | 2023-06-05 | 2025-01-08 |
| CVE-2020-28463 | All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject <img src="http://127.0.0.1:5000" valign="top"/> 4. Create a nc listener nc -lp 5000 5. Run python3 dody | [email protected] | 6.5 | 1.16% | 2021-02-18 | 2024-11-21 |
| CVE-2019-17626 | ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code. | [email protected] | 9.8 | 16.84% | 2019-10-16 | 2024-11-21 |