CVE-2024-1647 – pyhtml2pdf

Package

Manager: pip
Name: pyhtml2pdf
Vulnerable Version: >=0 <=0.0.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00183 pctl0.40273

Details

Cross-site Scripting in Pyhtml2pdf Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the HTML content entered by the user.

Metadata

Created: 2024-02-20T03:30:57Z
Modified: 2024-02-21T00:15:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-p3rv-qj56-2fqx/GHSA-p3rv-qj56-2fqx.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-p3rv-qj56-2fqx
Finding: F008
Auto approve: 1