CVE-2022-43983

Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browsershot::html method does not contain URL's that use the file:// protocol.
Configurations

Configuration 1 (hide)

cpe:2.3:a:spatie:browsershot:3.57.2:*:*:*:*:*:*:*

History

21 Nov 2024, 07:27

Type Values Removed Values Added
References () https://fluidattacks.com/advisories/khalid/ - Exploit, Third Party Advisory () https://fluidattacks.com/advisories/khalid/ - Exploit, Third Party Advisory
References () https://github.com/spatie/browsershot/ - Product () https://github.com/spatie/browsershot/ - Product

Information

Published : 2022-11-25 17:15

Updated : 2024-11-21 07:27


NVD link : CVE-2022-43983

Mitre link : CVE-2022-43983

CVE.ORG link : CVE-2022-43983


JSON object : View

Products Affected

spatie

  • browsershot
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')