CVE-2022-43984

spatie/browsershot

on GitHub

Published

Nov 25, 2022

Severity

CVSS v3:

8.2 HIGH

CVSS v2:

N/A

Description

Browsershot version 3.57.3 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an external source passed to the Browsershot::html method does not contain URLs that use the file:// protocol.

References

https://fluidattacks.com/advisories/malone/
https://github.com/spatie/browsershot/

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:spatie:browsershot:3.57.3:::::::*	n/a	n/a	3.57.3

External Links

NVD - CVE-2022-43984