CVE-2019-19450

1. # Exploit Title: CVE-2019-19450: RCE in reportLab through paraparser
2. # Reported to ReportLab: Nov 29, 2019
3. # Impacted Versions: v3.5.30 and before
4.  
5. # Description
6. ReportLab before 3.5.31 allows remote code execution because
7. start_unichar in paraparser.py evaluates untrusted user input in
8. a unichar element in a crafted XML document with '<unichar code="'
9. followed by arbitrary Python code, a similar issue to CVE-2019-17626.
10.  
11. The vendor has given the credit for this as can be seen on the changes page (https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md#release-353115102019).
12.  
13. # VulnerabilityType Other
14. Remote Code Execution
15.  
16. # Vendor of Product
17. reportlab
18.  
19. # Affected Product Code Base
20. https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md all reportlab versions < 3.5.31
21.  
22. # Affected Component
23. paraparser/platypus
24.  
25. # Attack Type
26. Remote
27.  
28. #Impact Code execution
29. true
30.  
31. # Attack Vectors
32. To exploit the issues, similar to CVE-2019-17626, a malicious user has
33. to use a crafted malicious html 'unichar' tag input and then use the
34. reportlab's feature to generate a pdf of the document.
35.  
36. # Reference
37. https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md
38.  
39. # Has vendor confirmed or acknowledged the vulnerability?
40. true
41.  
42. # Discoverer
43. Ravi Prakash Giri