Search criteria
1 vulnerability by pyhtml2pdf
CVE-2024-1647 (GCVE-0-2024-1647)
Vulnerability from cvelistv5 – Published: 2024-02-19 23:59 – Updated: 2025-12-03 20:21
VLAI?
Title
pyhtml2pdf 0.0.6 - Local File Read via Server Side XSS
Summary
Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain
arbitrary local files. This is possible because the application does not
validate the HTML content entered by the user.
Severity ?
7.5 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pyhtml2pdf | pyhtml2pdf |
Affected:
0.0.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.662Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://pypi.org/project/pyhtml2pdf/"
},
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/oliver/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pyhtml2pdf_project:pyhtml2pdf:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pyhtml2pdf",
"vendor": "pyhtml2pdf_project",
"versions": [
{
"status": "affected",
"version": "00.0.6"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1647",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T20:47:01.112779Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T19:34:38.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pyhtml2pdf",
"product": "pyhtml2pdf",
"vendor": "pyhtml2pdf",
"versions": [
{
"status": "affected",
"version": "0.0.6"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pyhtml2pdf:pyhtml2pdf:0.0.6:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"datePublic": "2024-02-19T23:58:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain\u003c/div\u003e\u003cdiv\u003earbitrary local files. This is possible because the application does not\u003c/div\u003e\u003cdiv\u003evalidate the HTML content entered by the user.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain\n\narbitrary local files. This is possible because the application does not\n\nvalidate the HTML content entered by the user."
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T20:21:55.600Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://pypi.org/project/pyhtml2pdf/"
},
{
"url": "https://fluidattacks.com/advisories/oliver/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "pyhtml2pdf 0.0.6 - Local File Read via Server Side XSS",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2024-1647",
"datePublished": "2024-02-19T23:59:17.082Z",
"dateReserved": "2024-02-19T21:52:22.394Z",
"dateUpdated": "2025-12-03T20:21:55.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}