CVE-2022-43983 – spatie/browsershot

Package

Manager: composer
Name: spatie/browsershot
Vulnerable Version: >=0 <3.57.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00135 pctl0.33978

Details

Browsershot vulnerable to Cross-Site Scripting (XSS) Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browsershot::html method does not contain URL's that use the file:// protocol.

Metadata

Created: 2022-11-25T18:30:25Z
Modified: 2025-04-29T15:36:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-82h9-v8vh-mfpq/GHSA-82h9-v8vh-mfpq.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-82h9-v8vh-mfpq
Finding: F008
Auto approve: 1