Inclusion of Functionality from Untrusted Control Sphere
CVE-2024-28184
Summary
WeasyPrint helps web developers to create PDF documents. In the package weasyprint versions 61.0 and 61.1, there's a vulnerability that allows attaching content of arbitrary files and URLs to a generated PDF document, even if "url_fetcher" is configured to prevent access to files and URLs.
- LOW
- NETWORK
- LOW
- CHANGED
- NONE
- LOW
- LOW
- LOW
CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
References
Advisory Timeline
- Published