CVE-2024-28184 — Inclusion of Functionality from Untrusted Control Sphere in Weasyprint

CWE-829 — Inclusion of Functionality from Untrusted Control Sphere6 documents5 sources

Severity

7.4HIGHNVD

EPSS

0.1%

top 68.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kozea Weasyprint Fedoraproject Fedora

Timeline

PublishedMar 9

Description

WeasyPrint helps web developers to create PDF documents. Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if `url_fetcher` is configured to prevent access to files and URLs. This vulnerability has been patched in version 61.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:LExploitability: 3.1 | Impact: 3.7

Affected Packages4 packages

▶NVDkozea/weasyprint61.0 — 61.2

▶PyPIkozea/weasyprint61.0 — 61.2

▶Debiankozea/weasyprint< 61.2-1+1

▶CVEListV5kozea/weasyprint>= 61.0, <= 61.1

Also affects: Fedora 40

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

WeasyPrint allows the attachment of arbitrary files and URLs to a PDF↗2024-03-09

▶

OSV

CVE-2024-28184: WeasyPrint helps web developers to create PDF documents↗2024-03-09

▶

OSV

WeasyPrint allows the attachment of arbitrary files and URLs to a PDF↗2024-03-08

▶

GHSA

WeasyPrint allows the attachment of arbitrary files and URLs to a PDF↗2024-03-08

▶

📋Vendor Advisories

Debian

CVE-2024-28184: weasyprint - WeasyPrint helps web developers to create PDF documents. Since version 61.0, the...↗2024

▶