CVE-2024-28184

High

WeasyPrint helps web developers to create PDF documents. Since version 61.0, there's a vulnerability which allows attaching content of…

GitHub_M·CWE-829·Published 2024-03-08

CVSS

7.4

EPSS

0.01

KEV

Exploits

cve.orgen

314 chars

WeasyPrint helps web developers to create PDF documents. Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if `url_fetcher` is configured to prevent access to files and URLs. This vulnerability has been patched in version 61.2.

NVDen

314 chars

OSV.deven

433 chars

### Impact Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if `url_fetcher` is configured to prevent access to files and URLs. ### Patches Fixed by 734ee8e that’s included in 61.2 ### Workarounds - Check that no PDF attachment is defined in source HTML. - Launch WeasyPrint in a sandbox that prevents access to the filesystem and the network.

GHSAen

433 chars

NVDes

346 chars

WeasyPrint ayuda a los desarrolladores web a crear documentos PDF. Desde la versión 61.0, existe una vulnerabilidad que permite adjuntar contenido de archivos y URL arbitrarios a un documento PDF generado, incluso si `url_fetcher` está configurado para impedir el acceso a archivos y URL. Esta vulnerabilidad ha sido parcheada en la versión 61.2.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	cve.org	7.4	—	—	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
3.1	Primary	cve.org	7.4	—	—	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
3.1	Secondary	GHSA	7.4	—	—	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
3.1	Secondary	NVD	7.4	3.1	3.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L