Debian Python-Reportlab vulnerabilities

CVE-2023-33733 [HIGH] CVE-2023-33733: python-reportlab - Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying... Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file. Scope: local bookworm: resolved (fixed in 3.6.12-1+deb12u1) bullseye: resolved (fixed in 3.5.59-2+deb11u1) forky: resolved (fixed in 3.6.13-1) sid: resolved (fixed in 3.6.13-1) trixie: resolved (fixed in 3.6.13-1)

CVE-2020-28463 [MEDIUM] CVE-2020-28463: python-reportlab - All versions of package reportlab are vulnerable to Server-side Request Forgery ... All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt t

CVE-2019-19450 [CRITICAL] CVE-2019-19450: python-reportlab - paraparser in ReportLab before 3.5.31 allows remote code execution because start... paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626. Scope: local bookworm: resolved (fixed in 3.5.31-1) bullseye: resolved (fixed

CVE-2019-17626 [CRITICAL] CVE-2019-17626: python-reportlab - ReportLab through 3.5.26 allows remote code execution because of toColor(eval(ar... ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code. Scope: local bookworm: resolved (fixed in 3.5.34-1) bullseye: resolved (fixed in 3.5.34-1) forky: resolved (fixed in 3.5.34-1) sid: resolved (fixed in 3.5.34-1