GHSA-pj98-2xf6-cff5

Source
https://github.com/advisories/GHSA-pj98-2xf6-cff5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-pj98-2xf6-cff5/GHSA-pj98-2xf6-cff5.json
Aliases
  • CVE-2019-19450
Published
2023-09-20T15:30:51Z
Modified
2023-11-08T04:01:28.419584Z
Details

paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.

References

Affected packages

PyPI / reportlab

Package

Name
reportlab

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
3.5.31

Affected versions

2.*

2.0
2.3
2.4
2.5
2.6
2.7

3.*

3.0
3.1.8
3.1.44
3.2.0
3.3.0
3.4.0
3.5.0
3.5.1
3.5.2
3.5.4
3.5.5
3.5.6
3.5.8
3.5.9
3.5.10
3.5.11
3.5.12
3.5.13
3.5.16
3.5.17
3.5.18
3.5.19
3.5.20
3.5.21
3.5.23
3.5.26
3.5.28