CVE-2022-43984

Browsershot version 3.57.3 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an external source passed to the Browsershot::html method does not contain URLs that use the file:// protocol.
Configurations

Configuration 1 (hide)

cpe:2.3:a:spatie:browsershot:3.57.3:*:*:*:*:*:*:*

History

21 Nov 2024, 07:27

Type Values Removed Values Added
References () https://fluidattacks.com/advisories/malone/ - Exploit, Third Party Advisory () https://fluidattacks.com/advisories/malone/ - Exploit, Third Party Advisory
References () https://github.com/spatie/browsershot/ - Product () https://github.com/spatie/browsershot/ - Product

Information

Published : 2022-11-25 17:15

Updated : 2024-11-21 07:27


NVD link : CVE-2022-43984

Mitre link : CVE-2022-43984

CVE.ORG link : CVE-2022-43984


JSON object : View

Products Affected

spatie

  • browsershot
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')