fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an malicious user to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows malicious users to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
fonttools fonttools |
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Who knew that unzipping a font archive could unleash a malicious file
Online graphic design platform Canva went looking for security problems in fonts, and found three – in "strange places." On its engineering blog, the Australian outfit explained it's "continuously looking for ways to uplift the security of [its] processes, software, supply chain, and tools," leading it to the "less explored attack surfaces, such as fonts that present a complex and prevalent part of graphics processing." That effort yielded three type-related vulns. CVE-2023-45139 is a high-sev...