You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| package | installed | affected | ID |
+============================+===========+==========================+==========+
| reportlab | 3.5.68 | >=0.0 | 39642 |
+==============================================================================+
| All versions of package reportlab are vulnerable to Server-side Request |
| Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & |
| trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan |
| Bamal: 1. Download and install the latest package of reportlab 2. Go to |
| demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to |
| be converted to pdf inject <img src="http://127.0.0.1:5000" valign="top"/> |
| 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will |
| get a hit on your nc showing we have successfully proceded to send a server |
| side request 7. dodyssey.py will show error since there is no img file on |
| the url, but we are able to do SSRF. See CVE-2020-28463. |
The text was updated successfully, but these errors were encountered:
safetyreports:The text was updated successfully, but these errors were encountered: