CVE-2024-28184 WeasyPrint allows the attachment of arbitrary files and URLs to a PDF

2024-03-0900:50:32

CWE-829

GitHub_M

www.cve.org

weasyprint

vulnerability

attachment

arbitrary files

urls

pdf

patched

version 61.2

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

0.0004 Low

EPSS

Percentile

15.8%

JSON

WeasyPrint helps web developers to create PDF documents. Since version 61.0, there’s a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if url_fetcher is configured to prevent access to files and URLs. This vulnerability has been patched in version 61.2.

CNA Affected

[
  {
    "vendor": "Kozea",
    "product": "WeasyPrint",
    "versions": [
      {
        "version": ">= 61.0, <= 61.1",
        "status": "affected"
      }
    ]
  }
]