pyhtml2pdf 0.0.6 - Local File Read

Summary

Namepyhtml2pdf 0.0.6 - Local File Read
Code name
ProductPyhtml2pdf
Affected versionsVersion 0.0.6
StatePublic
Release date2024-02-19

Vulnerability

KindServer Side XSS
Rule
RemoteYes
CVSSv3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSSv3.1 Base Score7.5
Exploit availableYes
CVE ID(s)

Description

Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the HTML content entered by the user.

Vulnerability

This vulnerability occurs because the application does not validate that the HTML content entered by the user is not malicious.

Exploitation

To exploit this vulnerability, we only need to send the following malicious HTML to pyhtml2pdf:

Exploit.html

<iframe width="10000px" height="10000px" src=file:///etc/passwd></iframe>

Thus, when pyhtml2pdf parses the malicious HTML, it will return the local file specified in the generated PDF.

Evidence of exploitation

LFR-pyhtml2pdf

LFR-pyhtml2pdf

Our security policy

We have reserved the ID CVE-2024-1647 to refer to this issue from now on.

System Information

  • Version: Pyhtml2pdf 0.0.6

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://pypi.org/project/pyhtml2pdf/

Timeline

Time-lapse-logo

2024-01-14

Vulnerability discovered.

Time-lapse-logo

2024-01-14

Vendor contacted.

Time-lapse-logo

2024-02-19

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.