VDB

MAGEIA-2024-60

MAGEIA-2024-60 PUBLISHED

As of fonttools>=4.28.2 the subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system.

Affected Products

VendorProductVersions
Mageiapython-pyaudio0.2.14-1.mga9, 0
Mageiafonttools0, 4.38.0-2.1.mga9, 0

Timeline

  • Feb 19, 2024 CVE Published
  • Mar 14, 2024 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›