← back
CVE-2023-45139

fonttools XML External Entity Injection (XXE) Vulnerability

CVSS 7.5 HIGHEPSS 1.2%CWE-611
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.5EPSS 1.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
10 Jan 2024Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
fonttools · fonttools

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4chttps://github.com/fonttools/fonttools/releases/tag/4.43.0https://github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VY63B4SGY4QOQGUXMECRGD6K3YT3GJ75/http://www.openwall.com/lists/oss-security/2024/03/08/2http://www.openwall.com/lists/oss-security/2024/03/09/1