New: Corgea AI Pentesting — autonomous penetration testing in hours, not weeks
HIGH 7.4 PyPI

WeasyPrint allows the attachment of arbitrary files and URLs to a PDF

GHSA-35jj-wx47-4w8r · CVE-2024-28184

Published · Modified

Description

Impact

Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if url_fetcher is configured to prevent access to files and URLs.

Patches

Fixed by 734ee8e that’s included in 61.2

Workarounds

  • Check that no PDF attachment is defined in source HTML.
  • Launch WeasyPrint in a sandbox that prevents access to the filesystem and the network.

Ready to move

Start Securing

Free, no credit card | First findings in minutes