CVE-2022-43984 – spatie/browsershot

Package

Manager: composer
Name: spatie/browsershot
Vulnerable Version: >=0 <3.57.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00135 pctl0.33978

Details

Browsershot version 3.57.3 vulnerable to improper input validation Browsershot version 3.57.3 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an external source passed to the Browsershot::html method does not contain URLs that use the file:// protocol.

Metadata

Created: 2022-11-25T18:30:25Z
Modified: 2025-04-29T15:36:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-6q49-35h6-rq2p/GHSA-6q49-35h6-rq2p.json
CWE IDs: ["CWE-20", "CWE-79"]
Alternative ID: GHSA-6q49-35h6-rq2p
Finding: F008
Auto approve: 1