Published: 16 October 2019
ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
the first commit in the bug, according to the comments doesn't fix the bug, also it breaks some tests.
the second commit uses a significant amount of code and may not be licensed correctly. See comment from Marek Kasik for minimal patch from Red Hat.
Severity score breakdown