Advisories for Pypi/Reportlab package

2023

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.

Remote Code Execution

Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.

2022

XML Injection (aka Blind XPath Injection)

ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.

2021

Server-Side Request Forgery (SSRF)

Reportlab is vulnerable to Server-side Request Forgery (SSRF) via img tags.