CVE-2024-1648 – electron-pdf

Package

Manager: npm
Name: electron-pdf
Vulnerable Version: >=0 <=20.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00183 pctl0.40284

Details

Cross-site Scripting in electron-pdf electron-pdf version 20.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the HTML content entered by the user.

Metadata

Created: 2024-02-20T03:30:57Z
Modified: 2024-02-21T00:16:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-3jcv-5f9p-2f2p/GHSA-3jcv-5f9p-2f2p.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-3jcv-5f9p-2f2p
Finding: F008
Auto approve: 1