paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.
References
Configurations
History
28 Apr 2024, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
01 Feb 2024, 01:08
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-09-20 14:15
Updated : 2024-04-28 04:15
NVD link : CVE-2019-19450
Mitre link : CVE-2019-19450
CVE.ORG link : CVE-2019-19450
JSON object : View
Products Affected
reportlab
- reportlab
debian
- debian_linux
CWE
CWE-91
XML Injection (aka Blind XPath Injection)