Miggo Logo
Miggo Vulnerability Database
CVE-2019-19450

CVE-2019-19450: ReportLab vulnerable to remote code execution via paraparser

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-19450
GHSA ID
GHSA-pj98-2xf6-cff5
EPSS Score
0.91297%
CWE
CWE-91
Published
9/20/2023
Updated
4/28/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
reportlabpip< 3.5.313.5.31

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems directly from unsafe evaluation of user-controlled input in the start_unichar method of paraparser.py. The CVE description explicitly names this function as the vulnerable component, and the patch notes confirm paraparser modifications in the first patched version (3.5.31). The function's role in processing XML unichar elements with executable code attributes makes it the primary vulnerable entry point visible in runtime traces.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

p*r*p*rs*r in R*portL** ***or* *.*.** *llows r*mot* *o** *x**ution ****us* st*rt_uni***r in p*r*p*rs*r.py *v*lu*t*s untrust** us*r input in * uni***r *l*m*nt in * *r**t** XML *o*um*nt wit* '<uni***r *o**="' *ollow** *y *r*itr*ry Pyt*on *o**, * simil*

Reasoning

T** vuln*r**ility st*ms *ir**tly *rom uns*** *v*lu*tion o* us*r-*ontroll** input in t** `st*rt_uni***r` m*t*o* o* `p*r*p*rs*r.py`. T** *V* **s*ription *xpli*itly n*m*s t*is `*un*tion` *s t** vuln*r**l* *ompon*nt, *n* t** p*t** not*s *on*irm `p*r*p*rs