Skip to main content

Inclusion of Functionality from Untrusted Control Sphere

CVE-2024-28184

Severity High
Score 7.4/10

Summary

WeasyPrint helps web developers to create PDF documents. In the package weasyprint versions 61.0 and 61.1, there's a vulnerability that allows attaching content of arbitrary files and URLs to a generated PDF document, even if "url_fetcher" is configured to prevent access to files and URLs.

  • LOW
  • NETWORK
  • LOW
  • CHANGED
  • NONE
  • LOW
  • LOW
  • LOW

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Advisory Timeline

  • Published