CVE-2019-19450: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

September 20, 2023 (updated September 21, 2023)

paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with ‘<unichar code="’ followed by arbitrary Python code, a similar issue to CVE-2019-17626.

References

github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md
github.com/advisories/GHSA-pj98-2xf6-cff5
nvd.nist.gov/vuln/detail/CVE-2019-19450
pastebin.com/5MicRrr4

Detect and mitigate CVE-2019-19450 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →