CVE-2024-28184

HIGH EPSS 45.6%
Published Mar 9, 20242y ago · Modified Jun 17, 20262w ago
7.4 CVSS 3.1
High
Find Similar
Published Mar 9, 2024 2y ago
Last Modified Jun 17, 2026 2w ago

Description

WeasyPrint helps web developers to create PDF documents. Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if `url_fetcher` is configured to prevent access to files and URLs. This vulnerability has been patched in version 61.2.

CVSS Details

Base Score
7.4
Exploitability
3.1
Impact
3.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality Low
Integrity Low
Availability Low

Threat Intelligence

EPSS Exploit Probability
45.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-829

Affected Products 2

VendorProductVersionRange
kozeaweasyprint*≥61.0  –  <61.2
fedoraprojectfedora40any

References 3

  • github.com https://github.com/Kozea/WeasyPrint/commit/734ee8e2dc84ff3090682f3abff056d0907c8598
    Patch
  • github.com https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-35jj-wx47-4w8r
    Vendor Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLQZMOEDY72TS43HDXOBVID2VYCTWIH6/
    Mailing ListThird Party Advisory

Remediation

  • github.com https://github.com/Kozea/WeasyPrint/commit/734ee8e2dc84ff3090682f3abff056d0907c8598
    Patch